fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Zoom fixes zero-day RCE bug affecting Windows 7, more updates soon

Zoom fixes zero-day RCE bug affecting Windows 7, more updates soon

​The Zoom web conference Client contained a zero-day vulnerability that could have allowed attackers to execute commands on vulnerable systems remotely.

The exploitation of the vulnerability required at least some form of action on the victim’s end, such as downloading and opening a malicious attachment, however, no security notifications would be triggered during exploitation.

A researcher, who prefers to remain anonymous, reached out to the 0patch team disclosing the vulnerability rather than reporting it directly to Zoom.

Researchers at 0patch then issued a “micropatch” free of charge until Zoom could release their own. 

Also read: 9 Policies For Security Procedures Examples

“According to our guidelines, we’re providing these micropatches to everyone for free until Zoom has fixed the issue or made a decision not to fix it. To minimize the risk of exploitation on systems without 0patch, we’re not publishing details on this vulnerability until Zoom has fixed the issue, or made a decision not to fix it, or until such details have become public knowledge in any way,” explained 0patch in a blog post.

While the company refrained from disclosing complete details of the remote code execution flaw, they did post a Proof-of-Concept video vaguely demonstrating the exploitation:

“Some social engineering is almost always required with client-side RCEs; some require the user to open a malicious document, some to visit a malicious web page, some to connect to a malicious RDP server etc. These are no unusual actions for the user, but they may not perform them without some lure,” 0patch co-found Mitja Kolsek told BleepingComputer.

Zoom has released a patch in the latest version 5.1.3 (28656.0709) for Windows users as of July 10th, and users are advised to download the newest version of the client app. 

The release notes confirm the update “fixes a security issue affecting users running Windows 7 and older.”

The vulnerability is only known to be exploitable on Windows 7 and earlier versions, but may also be exploitable on Windows Server 2008 R2 and earlier though.

0patch advised its users that their micropatch will safeguard users against this vulnerability regardless of the OS being used.

Future updates

Zoom has also released notes on a planned update scheduled to go out for Phone and Web users on July 12, 2020.

The update promises to step up encryption from AES-128 to AES-256 by default. It also introduces a “call monitoring” feature for Mobile users, effectively empowering them to “listen to a call without the parties being aware; speak to a phone user in a call without other parties being aware; join a call and speak to all parties; or take over the call from another user.”

Among other features and enhancements is what’s called the “Singapore data center option.” The option enables account owners and admins to route real-time meetings and webinar traffic via data centers located in Singapore.

Additionally, the July 12th Web update comes out with a customized speed dial supporting the busy lamp field (BLF) feature, call parking, the ability to create a shared directory of external contacts, and “minor bug fixes.”

Meanwhile, the update will enable Phone users to access phone user directories and transfer active calls to the voicemail inbox of another user.

Zoom users are advised to turn on auto-updates to protect themselves against security flaws and take advantage of the latest product offerings.

Also read: Top 10 Reliable IT Companies in Singapore

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us