Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Project Zero: Zoom Platform Missed ASLR Exploit Mitigation

A prominent security researcher poking around at the Zoom video conferencing platform found worrying signs the company failed to enable a decades-old anti-exploit mitigation, a blunder that greatly increased exposure to malicious hacker attacks.

A prominent security researcher poking around at the Zoom video conferencing platform found worrying signs the company failed to enable a decades-old anti-exploit mitigation, a blunder that greatly increased exposure to malicious hacker attacks.

The discovery was made by Google Project Zero’s Natalie Silvanovich during a black box security audit of Zoom’s widely deployed software and again brings attention to basic developer mistakes that continue to cause major security problems.

Silvanovich, known for her work documenting security defects in Apple’s iMessage, found evidence that Zoom failed to enable Address Space Layout Randomization (ASLR), a memory safety mitigation first introduced in 2006 by Microsoft to make it more difficult to automate attacks against the operating system.

Over the years, the ASLR mitigation significantly raised the bar for attackers and forced exploit writers to chain multiple vulnerabilities to find reliable attack paths.  However, as Silvanovich discovered, Zoom is joining a list of big-name vendors that failed to enable this basic mitigation.

[ READ: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation ]

Late last year, Microsoft pinpointed similar problems with SolarWinds during a post-mortem into a zero-day attack against the company’s Serv-U Managed File Transfer and Serv-U Secure FTP products. In that case, Redmond researchers noticed that SolarWinds developers failed to enable ASLR compatibility in some modules.

“Enabling ASLR is a simple compile-time flag.  [It] is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U,” Microsoft warned at the time.

After a security audit of Zoom that resulted in patches for two serious security vulnerabilities (see previous SecurityWeek coverage), Project Zero’s Silvanovich published a detailed advisory to warn of Zoom’s attack surface and lament the difficulties in poking at Zoom’s proprietary code base.

[ READ: Project Zero Flags High-Risk Zoom Security Flaw ]

“[The biggest] concern in this assessment was the lack of ASLR in the Zoom MMR server. ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective. There is no good reason for it to be disabled in the vast majority of software,” Silvanovich said. 

“There has recently been a push to reduce the susceptibility of software to memory corruption vulnerabilities by moving to memory-safe languages and implementing enhanced memory mitigations, but this relies on vendors using the security measures provided by the platforms they write software for. All software written for platforms that support ASLR should have it (and other basic memory mitigations) enabled,” she added.

While most video conferencing systems use open-source software, either WebRTC or PJSIP, Silvanovich pinpointed Zoom’s closed system as an obstruction to reliable outside security research. 

“Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it,” Silvanovich said.

“Zoom, and other companies that produce closed-source security-sensitive software should consider how to make their software accessible to security researchers.”

In the technical analysis, Silvanovich called attention to the risk of zero-click attacks on Zoom’s multi-platform client, and warned that the recently-patched vulnerabilities could have led to the compromise of Zoom’s servers and the exposure of meeting data.

A zero-click vulnerability in the Zoom client was documented at the Pwn2Own hacking contest where a $200,000 bounty was awarded. 

Related: Project Zero Flags High-Risk Zoom Security Flaw

Related: $200,000 Awarded for Zero-Click Zoom Exploit at Pwn2Own

Related: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation

Related: FTC Says Zoom Misled Users on Its Security for Meetings

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...