Monday 6 April 2020

Critical Flaw in Windows Preview Pane

Microsoft on 23/3/2020 issued Security Advisory ADV200006 for a "Critical"-rated remote code execution vulnerability in both supported and unsupported Windows systems.

Microsoft updated its security advisory on March 24 to indicate that the vulnerability is just rated "Important" for Windows 10, Windows Server 2016 and Windows Server 2019 systems. It's still rated "Critical" for older systems, though. "We do not recommend that IT administrators running Windows 10 implement the workarounds described below," the advisory explained.

The vulnerability, associated with the Adobe Type Manager Library in Windows systems, has been exposed to "limited, targeted attacks," per the advisory. The library "improperly handles a specially crafted multi-master font." This flaw can be exploited by "convincing a user to open a specially crafted document or viewing it in the Windows [Explorer] Preview pane."

There's no patch currently available. Microsoft's advisory offered three "workarounds" to implement, but they all have limitations.

More info & sources: Microsoft, Redmond

Thursday 2 April 2020

Zoom: It appears to have more problems than it solves

Zoom admits meetings don't use end-to-end encryption

Video conferencing app Zoom does not use end-to-end encryption, according to reports, despite specifically stating that it does on its website.


Though Zoom offers users the option to “enable an end-to-end (E2E) encrypted meeting,” and provides a green padlock that claims “Zoom is using an end to end encrypted connection,” the company this week admitted that offers no such thing.

A spokesperson for the company told The Intercept that, despite its claims, it was "currently not possible" to enable end-to-end encryption for its video meetings.

Instead, the spokesperson revealed, the service uses Transport Layer Security (TLS) which encrypts data between user's meetings and Zoom's servers. End-to-end refers to data encrypted between calls, blocking out third parties - which includes the service provider. As a result, the company can see and use the data for things like targeted ads. 

"When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” the spokesperson added.

Part of Zoom's appeal to organisations is its simplicity and the fact it can be used for free, albeit without any premium features, which lets businesses try it out before forking out any money. "Video conferencing is a fantastic necessity in times like these but it is vitally important to understand the security and privacy concerns that go in parallel with this increasingly popular form of communication," said Jake Moore, a cyber security specialist for ESET. "For social and light business meetings they are fine as long as users realise what data is being shared by Zoom to third parties. I certainly wouldn't recommend using free software for sensitive or private meetings."

Unpatched Zoom App Bug Lets Hackers Steal Your Windows Password

According to the latest finding by cybersecurity expert @_g0dmode, which was also confirmed by researcher Matthew Hickey and Mohamed A. Baset, the Zoom client for Windows is vulnerable to the 'UNC path injection' vulnerability that could let remote attackers steal login credentials for victims' Windows systems.


The attack involves the SMBRelay technique wherein Windows automatically exposes a user's login username and NTLM password hashes to a remote SMB server when attempting to connect and download a file hosted on it.

The attack is possible only because Zoom for Windows supports remote UNC paths, which converts such potentially insecure URLs into hyperlinks for recipients in a personal or group chat.


To steal the login credential of user running zoom for Windows, all an attacker needs to do is sent a crafted URL (i.e. \\x.x.x.x\abc_file) to the victim over its chat interface, as shown, and wait for the victim to click it once.

To be noted, the captured passwords are not plaintext, but a weak one can easily be cracked in seconds using password cracking tools like HashCat or John the Ripper.

In a shared environment, like office space, stolen login details can be reused immediately to compromise other users or IT resources and launch further attacks.

Besides stealing Windows credentials, the flaw can also be exploited to launch any program already present on a targeted computer or downloaded as part of the attacker's social engineering campaign.


Zoom has already been notified of this bug, but since the flaw has not yet been patched, users are advised to either use an alternative video conferencing software or Zoom in your web browser instead of the dedicated client app.

Source(s) & more info: Hacker News, ITPro