Just spitballing here, but it could be due to previous bad encounters with Zoom, previous cases where Zoom has dismissed or downplayed an exploit, etc. Is Zoom one of those companies that requires excessive NDA's for exploits? That could be a factor.
I can think of a few other reasons, although it probably would have been better to disclose to Zoom /alongside/ whoever else they thought should get it.
> bad encounters with Zoom, previous cases where Zoom has dismissed or downplayed an exploit, etc.
Have they?
Their disclosure policy [1] sounds reasonable and their public response [2] to the recent accusations has been text book, if you ask me. They even hired top industry experts (Alex Stamos, Matthew Green, etc.) and acquired keybase to strengthen their security.
To me it looks like Zoom got lots of attention at once, and thus had lots of security issues at once, that would not be out of the ordinary if they had been more spread out. However, them lying to their customers about E2EE is hard to forgive.
As I mentioned, I was just stating some generic reasons why a researcher may choose not to disclose specifically (and only) to the company in question.
They have shown repeatedly that they don't give a shit, so the best thing you can do for their users is to demonstrate for them why they should uninstall it yesterday.
Maybe Zoom wasn't willing to pay the sticker price:
> Vice has reported that someone is claiming to have a zero-day exploit affecting the Zoom app for Windows, and they’re asking $500,000 for it. The remote code execution exploit allegedly requires the hacker to be in a call with the targeted user. Zoom says it has launched an investigation, but so far it has “not found any evidence substantiating these claims.”[1]
I think if someone's been using Windows 7 this long and not succumbed to malware, they probably know how to secure it, or just happen to have set it up in a secure fashion.
If you're behind a NAT and don't browse strange websites and don't open email attachments and don't plug in strange devices, how are you going to get malwared?
I'm one of the dudes running Windows 7 on unsupported hardware (Ryzen 3900x, some mobo that isn't supported by W7 and modified drivers from some random Chinese dude on the internet so it actually works). I'm using it mostly to play games that don't support Linux (anti-cheat spyware, as someone nicely put it), while daily driving linux on the same machine on another HDD (can't be hit by cryptolockers because windows doesn't detect it ;) ).
Windows 10 is garbage. It's a mobile OS - the "File" menu in Microsoft Word opens across the whole screen with most of it being empty space, the start menu fucking shows ads and search can't help itself but do random internet searches. Always on "Cortana" for god knows what reason that you can't turn off without editing registry (can you even do that anymore). On top of that, it's basically spyware. How can you protect yourself from malware by installing more malware?
I agree that W10 is garbage, at least oob. I have found that there are tweaks you can do to make it better.
> the "File" menu in Microsoft Word opens across the whole screen with most of it being empty space,
Is this not to do with the version of word? My schools win 7 computers had this as well.
> the start menu fucking shows ads
I don't remember how I turned it off, but none of the win 10 computers I use show adds in the start menu. (They still do in solitaire though).
> search can't help itself but do random internet searches.
Yup, that's annoying as all get out.
> Always on "Cortana"
I think there's a way to turn off Cortana being used constantly, I don't know if it actually stops it in the background though.
> On top of that, it's basically spyware.
Yup. I only use it for games for this very reason.
...
What it comes down to is what you're willing to deal with. I'd rather risk M$ spying on my games then some (slightly) less ethical attacker getting a foothold onto my network.
Oh, also if you do ever wind up needing to move to 10, you may like this [1].
It's been less than two months since we last ran across a large prospective customer who is still on XP. This was in the UK, and they handle highly confidential information on those computers.
Supporting XP makes dollars, so supporting XP makes sense. Though it does make me want to tear my eyeballs out.
I don't know if it's a good or bad thing in the context of the article that you can keep using Windows 7. I want it to be a good thing, but reality doesn't go away.
7 was really the last version of Windows I liked before the move to hybrid tablet PCs and Metro. It's the last one with the Classic theme which is more visually appealing to me. And there are no forced rolling updates.
But if a corporation is just not going to release security patches allowing for exploits like this then it slowly makes using it untenable.
It's just like with phones. I would be happy with my first generation OnePlus One if only the OS updates with the security patches didn't also tie in so many other features that decrease performance to unbearable levels. With Apple especially I feel like they're just updating things for the sake of updating them even though they already worked fine before, and Catalina is the end result of that strategy. We're running out of things to innovate on in the technology sphere so about all we can do is stick another two cameras on the back of the latest flagship on top of the previous three and call it progress. I once read a review that said something to the effect of, "but it only has two rear cameras."
And we can't go back either. Even though High Sierra is less annoying to use than Catalina, there's still another release cycle ahead. And another after that. Downgrading is not a sustainable business model, from people's perspective. Reddit won't just throw away their redesign and go back to old.reddit.com by default because it means taking away the livelihoods of the people they hired to "improve" everything. It means admitting it failed, and I don't think that's how they see their efforts. So what's the way out?
And software vendors will eventually start using Windows 10-exclusive APIs because they'd see no point in supporting a "dead" OS, so eventually you'd have no choice to upgrade if your requirement is running that software.
If it was up to me I'd never "upgrade" beyond Windows 7. Same thing with OS X, I'd like to stick with the version I have pretty much indefinitely. Not only OSes but most software in general are adding more and more features I don't care about & don't want, while adding onerous, user-hostile patterns that detract from both my freedom and the convenience that I usually expect from the software I use.
Frankly, as time goes by I'm finding it harder and harder to keep using Windows/Mac as my primary computing OS because every new update adds things like forced (or extremely-hard-to-avoid) updates, nagware, analytics I don't agree with and is difficult to remove, more-prevalent DRM, UX regressions (IMO) and "change for the sake of change" that provides no measurable or perceivable benefit to the user. I could honestly keep going on and on about this.
It's like software companies never heard the idiom "don't fix what isn't broken", and they are interminably obsessed with reinventing the wheel on a biannual basis.
Re-reading what I wrote, it's interesting & telling that I started with "if it was up to me", and that's really the problem: it's basically NOT up to me what I run on my computer. Want to play the latest award-winning game that is revolutionary, life-changingly awesome? Hope you have absolute latest [whatever] OS with all the updates and whatever other stuff that is required to run it (anti-cheat spyware is my favorite). Heck, how about stuff required for your business, non-optional software (like Zoom)? You're just forced into it. If this stuff you're forced into has problems like, say, wiping your entire hard drive because of a bug in a forced Windows update?? Too bad I guess? That's what you get for using a computer? There are so many glaring problems with this situation, it boggles my mind that people seem completely fine with it.
credit card number is always safe to give out. you have zero liability, and the fraud detection in the backend is far far far better than what fly by night app of the day does.
42 comments
[ 2.7 ms ] story [ 93.0 ms ] threadNo disclosure was made to Zoom. Why? What's the point of doing that?
I can think of a few other reasons, although it probably would have been better to disclose to Zoom /alongside/ whoever else they thought should get it.
Have they?
Their disclosure policy [1] sounds reasonable and their public response [2] to the recent accusations has been text book, if you ask me. They even hired top industry experts (Alex Stamos, Matthew Green, etc.) and acquired keybase to strengthen their security.
To me it looks like Zoom got lots of attention at once, and thus had lots of security issues at once, that would not be out of the ordinary if they had been more spread out. However, them lying to their customers about E2EE is hard to forgive.
[1] https://hackerone.com/zoom
[2] https://blog.zoom.us/a-message-to-our-users/
Before covid, all i knew about Zoom was "That video chat with all the exploits"
> Vice has reported that someone is claiming to have a zero-day exploit affecting the Zoom app for Windows, and they’re asking $500,000 for it. The remote code execution exploit allegedly requires the hacker to be in a call with the targeted user. Zoom says it has launched an investigation, but so far it has “not found any evidence substantiating these claims.”[1]
[1]: https://www.securityweek.com/zoom-teams-katie-moussouris-rev...
I couldn't find their current bug bounty payout schedule anywhere online, so I can only assume it's unimpressive.
Windows 7 is supported until 2023 in enterprise. Wouldn't be surprised if it's a quarter of the userbase.
https://www.statista.com/statistics/993868/worldwide-windows...
What's wrong with using old software, especially when it works better than the new?
But an up to date anything is better than Windows 7.
If you're behind a NAT and don't browse strange websites and don't open email attachments and don't plug in strange devices, how are you going to get malwared?
I'm one of the dudes running Windows 7 on unsupported hardware (Ryzen 3900x, some mobo that isn't supported by W7 and modified drivers from some random Chinese dude on the internet so it actually works). I'm using it mostly to play games that don't support Linux (anti-cheat spyware, as someone nicely put it), while daily driving linux on the same machine on another HDD (can't be hit by cryptolockers because windows doesn't detect it ;) ).
Windows 10 is garbage. It's a mobile OS - the "File" menu in Microsoft Word opens across the whole screen with most of it being empty space, the start menu fucking shows ads and search can't help itself but do random internet searches. Always on "Cortana" for god knows what reason that you can't turn off without editing registry (can you even do that anymore). On top of that, it's basically spyware. How can you protect yourself from malware by installing more malware?
> the "File" menu in Microsoft Word opens across the whole screen with most of it being empty space,
Is this not to do with the version of word? My schools win 7 computers had this as well.
> the start menu fucking shows ads
I don't remember how I turned it off, but none of the win 10 computers I use show adds in the start menu. (They still do in solitaire though).
> search can't help itself but do random internet searches.
Yup, that's annoying as all get out.
> Always on "Cortana"
I think there's a way to turn off Cortana being used constantly, I don't know if it actually stops it in the background though.
> On top of that, it's basically spyware.
Yup. I only use it for games for this very reason.
...
What it comes down to is what you're willing to deal with. I'd rather risk M$ spying on my games then some (slightly) less ethical attacker getting a foothold onto my network.
Oh, also if you do ever wind up needing to move to 10, you may like this [1].
[1] https://github.com/Open-Shell/Open-Shell-Menu
It probably is to do with word and was an unnecessary dig at W10.
It is still quite a frustrating "feature".
Supporting XP makes dollars, so supporting XP makes sense. Though it does make me want to tear my eyeballs out.
Not just enterprise; even a single user can easily acquire ESU:
https://tinyapps.org/blog/202001220700_windows_7_esu_smb.htm...
7 was really the last version of Windows I liked before the move to hybrid tablet PCs and Metro. It's the last one with the Classic theme which is more visually appealing to me. And there are no forced rolling updates.
But if a corporation is just not going to release security patches allowing for exploits like this then it slowly makes using it untenable.
It's just like with phones. I would be happy with my first generation OnePlus One if only the OS updates with the security patches didn't also tie in so many other features that decrease performance to unbearable levels. With Apple especially I feel like they're just updating things for the sake of updating them even though they already worked fine before, and Catalina is the end result of that strategy. We're running out of things to innovate on in the technology sphere so about all we can do is stick another two cameras on the back of the latest flagship on top of the previous three and call it progress. I once read a review that said something to the effect of, "but it only has two rear cameras."
And we can't go back either. Even though High Sierra is less annoying to use than Catalina, there's still another release cycle ahead. And another after that. Downgrading is not a sustainable business model, from people's perspective. Reddit won't just throw away their redesign and go back to old.reddit.com by default because it means taking away the livelihoods of the people they hired to "improve" everything. It means admitting it failed, and I don't think that's how they see their efforts. So what's the way out?
And software vendors will eventually start using Windows 10-exclusive APIs because they'd see no point in supporting a "dead" OS, so eventually you'd have no choice to upgrade if your requirement is running that software.
It's just out of our control.
Frankly, as time goes by I'm finding it harder and harder to keep using Windows/Mac as my primary computing OS because every new update adds things like forced (or extremely-hard-to-avoid) updates, nagware, analytics I don't agree with and is difficult to remove, more-prevalent DRM, UX regressions (IMO) and "change for the sake of change" that provides no measurable or perceivable benefit to the user. I could honestly keep going on and on about this.
It's like software companies never heard the idiom "don't fix what isn't broken", and they are interminably obsessed with reinventing the wheel on a biannual basis.
Re-reading what I wrote, it's interesting & telling that I started with "if it was up to me", and that's really the problem: it's basically NOT up to me what I run on my computer. Want to play the latest award-winning game that is revolutionary, life-changingly awesome? Hope you have absolute latest [whatever] OS with all the updates and whatever other stuff that is required to run it (anti-cheat spyware is my favorite). Heck, how about stuff required for your business, non-optional software (like Zoom)? You're just forced into it. If this stuff you're forced into has problems like, say, wiping your entire hard drive because of a bug in a forced Windows update?? Too bad I guess? That's what you get for using a computer? There are so many glaring problems with this situation, it boggles my mind that people seem completely fine with it.
in fact you are forced to replace your card just due to expiry every 1-4 years depending on issuer.