Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
06:15 PM
Connect Directly

Zoom Joins Microsoft Teams on List of Enterprise Tools Hacked at Pwn2Own

White-hat hacking event shows yet again why there's no such thing as foolproof security against modern attacks.

A pair of security researchers at the virtual Pwn2Own hacking contest Wednesday exploited a combination of three individual zero-day bugs in the Zoom client to show how attackers could gain complete remote control of any PC or notebook computer on which the video communications software is installed.

Related Content:

Microsoft Teams, Exchange Server, Windows 10 Hacked in Pwn2Own 2021

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

The exploit came barely a day after another researcher at Pwn2Own demonstrated code execution on Microsoft Teams, which, like Zoom, has seen a surge in use since the global COVID-19 pandemic forced an increase in remote work at many organizations. The two exploits — and several others against Microsoft Exchange Server, Windows 10, and other technologies — have served as a further reminder of just how vulnerable some core enterprise software and communication products are to modern attacks.

"One of the biggest trends we see is that the participants continue to evolve and adapt to the targets," says Brian Gorenc, senior director of vulnerability research and head of ZDI at Trend Micro, which organizes the event each year. "Even as vendors make exploitation more difficult, contestants find a path to win."

The Zoom exploit garnered security researchers Daan Keuper and Thijs Alkemade of Dutch firm Computest Security an award of $200,000 and 20 so-called Master of Pwn points. Their exploit involved chaining together three bugs in the Zoom messenger client to gain code execution on a target system, without the user have to click or do anything. A Computest statement described the exploit as giving the two researchers control to execute actions on the device running the Zoom client, such as turning on the camera and microphone, reading emails and screen content, and downloading browser history. All of the actions could be taken without the user having to do anything or even noticing the activity.

Unlike previously disclosed vulnerabilities in the Zoom app that mostly allowed for attackers to snoop on video calls, the newly discovered ones are more serious because they give threat actors a way to take over the entire system, Computest said.

A Zoom spokesman Friday acknowledged the issue in the Zoom Chat group messaging product and said the company is currently working on its mitigation. In a statement, the spokesman said the attack demonstrated by the Computest researchers would need to originate from an accepted external contact or be part of the target's same organizational account.

"As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust," the statement noted. "If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center."

The Zoom exploit was one of several high-profile exploits at a Pwn2Own event where some $1.5 million is up for grabs to security researchers who can find and demonstrate exploitable vulnerabilities in a selected list of products across seven categories. Target products included Microsoft Exchange Server and SharePoint under the server category; Teams and Zoom in the enterprise communications section; Microsoft Edge, Google Chrome, and Apple Safari in the browser category; and Adobe Reader and Microsoft Office 365 ProPlus under the enterprise applications category. In a sign of the times, Tesla's Model 3 car was also one of the targets available to researchers.

The annual Pwn2Own contest was launched in 2007 and is part of the CanSecWest security conference. Over the years, the event has become a venue for some of the top white-hat hackers in the world to congregate and take a crack at widely used and popular technologies. The event has become a security proving ground of sorts for technology vendors and has been useful in helping them identify and close vulnerabilities they might have missed themselves. The organizers of Pwn2Own give vendors 90 days to fix vulnerabilities that are disclosed to them at the event.

"The contest has certainly grown and expanded over the last few years," Gorenc says. "We've added categories for automobiles and enterprise communications while maintaining traditional targets like Web browsers and operating systems."  

Numerous Exploits
In the first two days of the three-day contest, security researchers from around the world punched holes in multiple widely used technologies and raked in tens of thousands of dollars in the process.

Jack Dates of RET2 Systems won $100,000 for exploiting an integer overflow error in Apply Safari and an out-of-bounds write issue to get kernel-level code execution. He picked up another $40,000 for combining three vulnerabilities in the Parallels Desktop virtualization software for Apple Macs to execute code on the underlying OS.

Dates' Parallels Desktop exploit was one of two that involved the virtualization technology at this year's Pwn2Own. On Thursday, security researcher Benjamin McBride of L3Harris Trenchant used a memory corruption bug in Parallels Desktop to escape the virtualization layer and execute code on the underlying OS. Like Dates, McBride earned $40,000 for his effort.

Researchers at DEVCORE Security Consulting, meanwhile, picked up $200,000 for showing how attackers could completely take over a Microsoft Exchange server by combining an authentication bypass vulnerability with a local privilege escalation issue in the technology. The discovery is sure to add to the already high concerns around Exchange server prompted by the recent disclosure of four critical zero-day bugs in the technology.

Independent security researcher OV demonstrated code execution on Microsoft Teams by combining a pair of bugs and was paid $200,000 for the effort. A team from Viettel Cyber Security earned $40,000 for showing how attackers could take advantage of an integer overflow bug in Windows 10 to escalate privileges from a regular user to a user with system-level privileges.

Bruno Keith and Niklas Baumstark from Dataflow Security exploited Google Chrome renderer and Microsoft Edge using the same exploit against both browser technologies and netted $100,000 as a reward for their work.

"The biggest takeaway so far is just the breadth of talent that comes to the competition," Gorenc says. "It's great to see the current art of exploitation in action against a variety of targets."   

The exploits targeting Microsoft Exchange Teams and Zoom have been the most significant so far, he says.

"We've already seen the impact Exchange bugs have on enterprises this year, so finding and fixing these bugs before they are used by attackers is huge," Gorenc notes.

Similarly, Microsoft Teams and Zoom are nearly ubiquitous. But there hasn't been a lot of research done on their security.

"Getting researchers to focus their interest here provides the vendors a great resource in resolving these vulnerabilities before they can be used by adversaries," Gorenc says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file