FOXTROT/ALFA: Zoom Vulnerabilities for Sale, ICANN Delays .org Sale Yet Again, Facebook Reboots Libra

Hello and welcome to issue 103 of FOXTROT/ALFA, the last one for this week. Today is Friday, 17 April 2020 and here’s what’s been happening in technology news since yesterday.

More Zoom Vulnerabilities

Now is the time for all bad men to attack video conferences. Zoom is definitely Target Number One. Exploits are much sought after.

Hackers are selling two critical vulnerabilities for the video conferencing software Zoom that would allow someone to hack users and spy on their calls, Motherboard has learned.

The two flaws are so-called zero-days, and are currently present in Zoom’s Windows and MacOS clients, according to three sources who are knowledgeable about the market for these kinds of hacks. The sources have not seen the actual code for these vulnerabilities, but have been contacted by brokers offering them for sale.

“From what I’ve heard, there are two zero-day exploits in circulation for Zoom. One affects OS X and the other Windows,” said Adriel Desautels, the founder of Netragard, a company that used to sell and trade zero-days. “I don’t expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered.”

“[The Windows zero-day] is nice, a clean RCE [Remote Code Execution],” said one of the sources, who is a veteran of the cybersecurity industry. “Perfect for industrial espionage.” The asking price for the zero-day for the Zoom Windows app is $500,000, according to one of the sources, who deals with the procurement of exploits but has decided not to purchase this one.

Security researchers, hackers and criminals around the world are poking at the code at this very minute.

I spent two evenings (I think around 5-6h in total), looking at Zoom for Windows. Statically only – I did not perform a runtime analysis. In this report I summarize what I have seen. I’m pretty confident that this is only the tip of the iceberg.

zData.dll uses an outdated OpenSSL library: OpenSSL 1.0.2o 27 Mar 2018. OpenSSL 1.0.2 is EOL (End Of Life) since December 2019. There are known vulnerabilities that won’t get fixed anymore.

Depending on the implementation of the += operator, zData.dll potentially abets SQL injection vulnerabilities that can lead to information disclosure or execution of arbitrary code on Zoom-endpoints.

While looking at the import tables of the binary, I stumbled across an sprintf() call… sprintf() is a potentially dangerous function and compilers issue warnings if a function like sprintf is used. It seems like such warnings are not bothering the Zoom developers.

Airhost.exe uses libcurl Version 7.36.0. This version has known vulnerabilities.

airhost.exe uses a constant value as key for symmetric encryption: The SHA256 output of string “0123425234234fsdfsdr3242” is used to initialize an OpenSSL EVP AES 256 CBC context for encryption and decryption of data. To initialize the AES context, the string “3423423432325249” is used as constant IV.

And that’s only parts of one report…

Google to Attack Zoom with New Gmail Feature

Speaking of Zoom, Google has finally noticed that it can’t afford having everyone use a cloud tool it has no competitor for. All that user data is slipping by uncaptured…

Google is plugging its Meet service into Gmail as the Chocolate Factory rolls out the G Suite tanks in response to the threat posed by rival services.

The new functionality, available to all G Suite customers, is coming out over the next two weeks in Rapid Release domains and from 30 April for Scheduled Release domains. It’s a nifty tool that allows meetings to be kicked off or joined from within the Gmail inbox, making it simpler to switch between email and video-conferencing methods of communication as needed. It will also mean Google’s customers stop sneaking a peek at alternatives, such as Zoom and Teams, or so the ad giant doubtless hopes.

CVSS 10 Rating for Critical VMware Bug Explained

Remember that critical VMware vulnerability that I noted as remarkable because it was an information disclosure vulnerability rated at CVSS 10? We know now where that score came from:

The astonishing vuln (CVE-2020-3952), details of which were quite spare when VMWare issued a patch last week, was rated by VMware itself as CVSS v3 10.0, the highest level. Admins in charge of VMware estates should probably patch this one immediately, if they haven’t already.

Guardicore researcher JJ Lehman told The Register: “You have to be network accessible but you don’t have to be authenticated in any way to pull this off. Which means as an attacker who has already breached the perimeter of a network, as long as [you have] access to the vCenter, you essentially control everything on their VMware hosts.”

“It’s very unique,” Guardicore head of research Ofri Ziv told The Reg, explaining that the 10.0 CVSS impact rating on an enterprise virtualization product caught his enterprise security team’s eye. “This is why this is such a critical issue and this is why we believe it’s important for people to understand and mitigate it as fast as possible.” He added that Guardicore had not seen evidence of the vuln being abused in the wild, though Lehman explained that by its nature, it would be difficult to see traces of its use.

ICANN Once Again Delays .org Sale

It looks like people have signed enough petitions and made enough noise about it: ICANN is once again delaying the sale of the .org registry to a private investment firm.

ICANN has again delayed a decision on the sale of the .org registry, pushing the issue off for another month multiple sources with knowledge of Thursday’s meeting, have told The Register.

The organization’s board of directors was due to decide today on whether to approve the $1.13bn sale of the .org domain from the Internet Society to private equity firm Ethos Capital, but a last-minute letter from California’s attorney general Xavier Becerra appears to have upended the plan.

Rather than take a vote, the ICANN board debated the issue and ultimately decided to put off a decision until May 4 - the fourth such delay. The organization formally acknowledged the decision late on Thursday evening local time. “We have agreed to extend the review period to 4 May 2020, to permit additional time to complete our review,” it said.

The Windows 10 May 2020 Update is Coming

The next Windows 10 update is coming soon to a PC near you. Microsoft has released the May 2020 update to testers.

Microsoft is releasing the final version of its Windows 10 May 2020 Update today. While the update won’t roll out automatically to machines until next month, Windows 10 testers can get it early today by opting into the Release Preview ring of testing to get the final build. Like the previous November 2019 Update, this new update is a relatively small one that includes some improvements to Cortana and Windows search.

Cortana can now be undocked from the Windows 10 taskbar, and it includes the ability to choose between typing or talking to the digital assistant. The overall interface has also been tweaked to be more conversational. Microsoft has also added quick searches to the search home interface with this latest update, including weather, news, today in history, and new movies.

The May 2020 Update also features the Windows Subsystem for Linux 2, which includes an in-house custom-built Linux kernel. This Linux integration in Windows 10 will greatly improve the performance of Microsoft’s Linux subsystem in Windows. Microsoft is also promising to update this kernel through Windows Update, and it will be open source so developers can create their own WSL kernel and contribute changes.

LOL. It will also be open source so that Microsoft doesn’t get sued. It’s called copyleft, guys.

Facebook Tries Again with Libra Reboot

It looks like after an abject failure to convince the world of its own crypto (kind of) currency, Facebook isn’t giving up on Libra just yet.

The Facebook-founded Libra Association has revised its planned digital currency after regulatory concerns and public backlash made the project’s initial vision untenable.

Libra was introduced last June as a global digital currency, that would be linked to the value of real-world currencies and used by Facebook and others. It was to be based on a permissioned blockchain – only authorized parties could record transactions – with permissionless governance – no single party could change the rules of the network.

Initially, the idea took the form of a chaperoned version of Bitcoin. Rather than relying on permissionless consensus to exchange value, Libra’s transactional bookkeeping was to be overseen by Facebook and an association of data-harvesting friends. But its stated ambition was to move toward the Bitcoin model, “where anyone that follows the rules of the protocol and contributes the right types of resources (e.g., computing power in the case of a proof-of-work system) can do so.” That’s now been abandoned, replaced by more modest goals outlined in an explanatory paper.

Derisively referred to as Facebank or Facebucks, Libra alarmed regulators, advocacy groups, and competitors. The idea of allowing Facebook to set up a minimally accountable global financial data chokepoint after its many privacy and misinformation controversies raised more than a few eyebrows. So Libra now intends to play by the rules of global finance. On Thursday, the Libra Association asked the Swiss Financial Markets Supervisory Authority (FINMA) for permission to obtain a payment system license. The currency’s future form thus looks more like PayPal than an Ayn Rand-inspired run around regulation.

Also Noteworthy

Some other stories I’ve been reading today:

And with that, it’s time for the weekend. Until Monday, I’ll leave you with some good old cheesy power metal made in Germany. Bring on the madness, you’re born to destroy!

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.