Natalie Silvanovich of Google’s Project Zero bug-hunting team found and reported two zero-click vulnerabilities in video conferencing platform Zoom. Both flaws opened the door to attackers taking control of a victim’s devices and servers without the victim having to do anything. “Many people believe they are protected simply because they are cautious in the use of their devices,” commented Avast Security Evangelist Luis Corrons.“This is the best example to show that anyone can be compromised without interaction from the user side. This is why it is so critical to update all our apps to make sure any known security hole is patched.” To exploit the Zoom flaws, an attacker would have had to target Zoom accounts that are connected through Zoom Contacts. After contacting the company, Silvanovich said Zoom was very responsive and supportive of her work. Zoom fixed the flaws and released a security update for its customers on November 24. For more on this story, see WIRED.
