Project Zero researcher Natalie Silvanovich published a new analysis of security flaws present in the Zoom video chat platform. The vulnerabilities were uncovered as part of an investigation after a zero-click attack was demonstrated at Pwn2Own. Silvanovich, inspired by the demonstration, located two different bugs. The first is a buffer overflow issue impacting both Zoom clients and Zoom Multimedia Routers. The other bug is an information leak security flaw central to Multimedia Routers.
In addition, Silvanovich noted that the platform possessed a lack of Address Space Layout Randomization (ALSR), a security mechanism that helps to defend and protect against memory corruption attacks. Silvanovich stated that ALSR is one of the most important tools in preventing memory corruption attacks. She also noted that other mitigations rely on ALSR to be effective. Silvanovich also stated that due to the MMR server’s processing of call content such as audio and video, the bugs are especially concerning and allow for any virtual meeting without end-to-end encryption enabled to be exposed to potential eavesdropping.