Misleading title, Zoom doesn't divulge the password hash, but also doesn't prevent users from clicking on UNCs.
Having fallen out of paying attention to Windows Server over the past few years, I'd be a little surprised if the weak NTLM hash is still on by default in current versions of Windows (although that's not to say most of the Windows install base isn't in obsolescence).
> I'd be a little surprised if the weak NTLM hash is still on by default in current versions of Windows
Even if it didn't, which I'm not sure about, they still need to send one if you're trying to open a samba share. This attack works by presenting a UNC link to a samba share, which (when the user accepts the credential prompt) will send a nice compatible NTLM password hash.
The BBC have an article on Zoom security today, where the lack of clear technical statements in the response is quite striking if you are concerned about online security:
One interesting point was that the most senior figures in the UK government have been using Zoom to conduct official meetings while several of them are in isolation at home due to the virus. That is concerning given the reported lack of basic security features like full encryption.
He probably has a lot of his wealth invested in tech companies. Otherwise I can't fathom why somebody would be upset at tech companies receiving more scrutiny.
I now see senators in my country holding meetings over Zoom and it's horrifying.
I've been avoiding most things Google, but these days I don't have a problem with colleagues using Google's Meet, because honestly I trust Google more than Zoom. Skype is another popular option.
This is a wasted opportunity for a solution like Signal.org to provide support for e2e group video calls. I'm guessing it's not easy to implement.
"Zoom doesn't fix Windows oversight that makes Windows leak login credentials"
Sorry, but this one isn't on Zoom. This is all on Windows. You should be able to click a static link and expect it not to send your user password (or an easily crackable hash) to some remote server.
This is nothing new and can also be seen in one of tools I often use to check if my VPN is easily detectable [0].
This is Windows being vulnerable to carelessly authenticating to a remote server using an insecure protocol. Attack vectors also include email, messenger applications, QR codes, and anything else that might form an URI you can click on.
You can prevent this in your firewall by setting the right group policy [1] or blocking outbound SMB/NTLM/etc. in your network firewall.
We see a LOT more at home use of zoom by grandparents and others with minimal tech savvy because if Covid19. Telling them to egress block SMB is not helpful. Perhaps we need to put more pressure in ISPs to egress block SMB traffic?
This is hardly Zoom-related. This attack can easily be executed from Word files and malicious web pages in the right circumstances.
Microsoff should really disable this insecure method of authentication to public addresses for everyone but business users who rely on it (and whose IT department can manually enable the feature through group policy). There are sort-of-valid reasons to use SMB over the internet (easy network printing for one, as well as mounting disks in networks that still hand out publicly routable IPv4 addresses such as universities) and closing the port would break that functionality immediately.
Why should every residential ISP in the world need to cover up for Microsoft's design flaw? This bug is presented as news but it has been a known security issue for at least 6 years now.
Can SMB links be clicked on from a standard browser? If browsers prohibit it, I guess it would indeed be responsible on Zoom's part to also prohibit it.
TBH, this "issue" (which is not how Microsoft see it) has been around long enough that most applications know to be careful. Zoom should too. While it's not their fault, per se, they still need to be precautious.
Sometimes you gotta imagine it like it's a bad flag for a program or library that's just left on default. If you're using that program or library then you are also responsible for how you use it.
Why not? It makes business sense for a conferencing tool to be able to link to files on a mounted drive ("can you tell me where the project notes are?" "sure, they're over at \\projects\jabberwocky\notes.docx").
Every chat application turns HTTP strings into links and I don't believe it's the application developer's fault to assume that a simple link will cause code execution or leak credentials. That's a bad API design by Microsoft to the point where it's a vulnerability.
If someone told you that on iOS a link starting with HTTP would cause the device to send your Apple password to a random server, would you think that's normal and therefore developers should know better? Why would it be any different with any other kind of link? Wouldn't you expect the OS not to fail catastrophically when a user clicks a link like that?
All this attention on zoom should make their product solid if they listen. I will never trust them given free service is part of their business model. They will gather data and sell it. The Chinese government equation is a whole another thing.
23 comments
[ 4.4 ms ] story [ 37.1 ms ] threadHaving fallen out of paying attention to Windows Server over the past few years, I'd be a little surprised if the weak NTLM hash is still on by default in current versions of Windows (although that's not to say most of the Windows install base isn't in obsolescence).
Even if it didn't, which I'm not sure about, they still need to send one if you're trying to open a samba share. This attack works by presenting a UNC link to a samba share, which (when the user accepts the credential prompt) will send a nice compatible NTLM password hash.
https://www.bbc.co.uk/news/business-52115434
One interesting point was that the most senior figures in the UK government have been using Zoom to conduct official meetings while several of them are in isolation at home due to the virus. That is concerning given the reported lack of basic security features like full encryption.
Good thing about this is the fatigue. We're just a few years away until jo*rnalists lose most of their power.
https://techcrunch.com/2020/03/31/zoom-at-your-own-risk/
I now see senators in my country holding meetings over Zoom and it's horrifying.
I've been avoiding most things Google, but these days I don't have a problem with colleagues using Google's Meet, because honestly I trust Google more than Zoom. Skype is another popular option.
This is a wasted opportunity for a solution like Signal.org to provide support for e2e group video calls. I'm guessing it's not easy to implement.
Sorry, but this one isn't on Zoom. This is all on Windows. You should be able to click a static link and expect it not to send your user password (or an easily crackable hash) to some remote server.
This is nothing new and can also be seen in one of tools I often use to check if my VPN is easily detectable [0].
This is Windows being vulnerable to carelessly authenticating to a remote server using an insecure protocol. Attack vectors also include email, messenger applications, QR codes, and anything else that might form an URI you can click on.
You can prevent this in your firewall by setting the right group policy [1] or blocking outbound SMB/NTLM/etc. in your network firewall.
[0] hʇʇp://witch.valdikss.org.ru/ WARNING: will try to trigger the exact same credential leak on Windows. Use with care. [1] https://www.securitynewspaper.com/2016/08/06/understanding-w...
Microsoff should really disable this insecure method of authentication to public addresses for everyone but business users who rely on it (and whose IT department can manually enable the feature through group policy). There are sort-of-valid reasons to use SMB over the internet (easy network printing for one, as well as mounting disks in networks that still hand out publicly routable IPv4 addresses such as universities) and closing the port would break that functionality immediately.
Why should every residential ISP in the world need to cover up for Microsoft's design flaw? This bug is presented as news but it has been a known security issue for at least 6 years now.
Sometimes you gotta imagine it like it's a bad flag for a program or library that's just left on default. If you're using that program or library then you are also responsible for how you use it.
Every chat application turns HTTP strings into links and I don't believe it's the application developer's fault to assume that a simple link will cause code execution or leak credentials. That's a bad API design by Microsoft to the point where it's a vulnerability.
If someone told you that on iOS a link starting with HTTP would cause the device to send your Apple password to a random server, would you think that's normal and therefore developers should know better? Why would it be any different with any other kind of link? Wouldn't you expect the OS not to fail catastrophically when a user clicks a link like that?