Information Technology

Image: Zoom, ZDNet
Video conferencing software Zoom is working on patching a zero-day vulnerability that was disclosed online earlier today in a blog post by cyber-security firm ACROS Security.
The security firm said the zero-day impacts Zoom’s Windows client, but only when the clients are running on old Windows OS versions, such as Windows 7 and Windows Server 2008 R2 and earlier.
Zoom clients running on Windows 8 or Windows 10 are not affected, according to ACROS Security CEO Mitja Kolsek.
“The vulnerability allows a remote attacker to execute arbitrary code on victim’s computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file,” Kolsek said.
“No security warning is shown to the user in the course of attack,” he added.

Kolsek said ACROS did not discover the vulnerability by itself, but instead received it from a security researcher who wanted to keep their identity secret.
ACROS reported the zero-day to Zoom earlier today and released an update to its 0patch client to prevent attacks for its own customers until Zoom releases an official fix. A demo of the zero-day being exploited, and then blocked by the 0patch client is available below.
[embedded content]
ACROS didn’t publish any kind of technical details about the zero-day, but in a canned statement ZDNet received today from a Zoom spokesperson, the company confirmed the vulnerability and the report’s accuracy.
“Zoom takes all reports of potential security vulnerabilities seriously. This morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it.”
A Zoom spokesperson could not commit to a timeline of when the fix would be available due to the unpredictability of developing a comprehensive fix; however, a patch is currently in the works.
Zero-day disclosed days after “feature freeze” ended
After the discovery and disclosure of several security issues with Zoom’s service, on April 1, the company paused development on all new features to focus solely on security and privacy-related improvements and bug fixes.
This period of feature freeze during which the company focused on improving the app’s security ended on July 1, last week.
Days before, on June 24, Zoom also hired a new Chief Information Security Officer (CISO) in Jason Lee, who previously served as Salesforce’s Senior Vice President of Security Operations.
During its feature freeze period, Zoom also hired Luta Security to help the company set up a professional bug bounty program. Zoom and Luta Security ended their collaboration on the day of Lee’s hiring. More

While the number of COVID-19 infections is on the rise globally, some countries have started to relax lockdown measures and reopen their economies. As a result, many employers have welcomed back employees into physical workplaces. Unfortunately, the workplace is often the source of new outbreaks. 

In Italy, for example, a courier express company experienced a surge in infections among employees, with over 40 of them testing positive so far. The company is now working with local health professionals to contain the outbreak. In Germany, a meat factory experienced the country’s biggest single outbreak since the beginning of the pandemic. More than 2,000 people contracted the virus in the area where the meat processing factory operates, with many of the infections linked directly with the factory itself. And in early June, Beijing saw the number of new infections rising and decided to impose new lockdown measures. A wholesale market was identified as the place where the outbreak started. 
The risk that the workplace becomes a source of a new outbreak is real. As countries have reopened, we’ve advised employers to think carefully about the measures, protocols, and procedures to put in place to create adequate health and safety conditions. We’ve also helped clients identify the most critical risks to mitigate as their employees return to work. While most employers are taking appropriate measures to create a safe workplace — many are even deploying contact tracing solutions in the workplace or providing medical screening of both employees and customers before entering — there is still not nearly enough attention on how to ensure safer conditions for employees during their journey to and from work. There are several ways to mitigate this risk: 
Enable work-from-home and remote policies. Our research shows that more than 50% of employers worldwide have asked employees to work from home or remotely more than usual during the pandemic. Many companies we talked to also revealed they have long-term plans to introduce more flexible work policies for employees, allowing between 20% and 50% of them to work remotely on a normal basis. Many jurisdictions also protect an employee’s right to refuse unsafe work; for example, Germany has introduced a “right to work from home.” But working from home is not a possibility for everyone. Our data shows this is true for just one in three employees in Singapore and the US. Across Europe, those who cannot work from home or remotely is significantly higher, reaching 52% in France. We know for a fact that commuting to and from work increases the risk of infection: In one study in San Francisco, 90% of individuals who tested positive (2.1% of the 4,160 people tested) couldn’t work from home during the shelter-in-place order, and most lived in households of three to five people or more. 
Support travel during off hours and promote alternatives to public transport. In the UK, the company responsible for local transport in London and its suburbs provides guidance for safer journeys, which largely focuses on avoiding busy times or public transport altogether where possible. The Italian government issues vouchers to citizens who want to buy a bicycle. But, employers must play their part to mitigate this risk. Pandemic planning protocols do not generally have a lot to offer. From our interviews, we learned that experiences go from complete lack of planning to employees deciding to pay for their own taxis to a few company schemes for paid private cars or accommodations. Employers can do more. In the UK, Cyclescheme, a 20-year-old cycle-to-work provider, has created a COVID-19 hub to help employers and employees get to work on a bicycle. 
Appoint a “mobility manager.” In Italy, organizations that have more than 100 employees must now hire a “mobility manager.” This role was originally created in 1998 to help large organizations in crowded cities figure out ways to assess and reduce the environmental impact of their workforce going into work. The mobility manager was originally responsible for creating a yearly map of the employees’ commutes to and from work with the intent of suggesting and encouraging “greener options.” But a mobility manager can help also mitigate COVID-19-related risks to commuters. If regularly updated and made a companion to your pandemic management protocol, the map can provide rich information for assessing health- and safety-related risks of employees commuting to work and for choosing mitigation strategies that suit the specific needs of your organization. 
For more information and guidance about pandemic management, visit Forrester’s COVID-19 Hub. 
This post was written by Senior Analyst Enza Iannopollo, and it originally appeared here. 

Coronavirus More

The APT is also a loyal customer of Golden Chickens, a Malware-as-a-Service outfit. More

The UK Information Commissioner’s Office and Office of the Australian Information Commissioner (OAIC) announced on Thursday that the pair would be teaming up to conduct a joint investigation into Clearview AI. In April, OAIC asked questions of the company and issued a notice to produce under section 44 of the Australian Privacy Act. Two months […] More

In his final report before retiring, Australia’s Independent National Security Legislation Monitor (INSLM) Dr James Renwick took the red pen to the country’s encryption-busting legislation, making a handful of recommendations, mostly centred on the creation of an independent body to oversee the approval of warrants. The Telecommunications and other Legislation Amendment (Assistance & Access) Act […] More

Google has abandoned a project designed to tap into the potential of the cloud market in China, citing the potential of “better outcomes” with different services.  As reported by Bloomberg, the project was called “Isolated Region.” As hinted by its name, Isolated Region was being formulated to appease leaders in countries that wanted to lock […] More

Most businesses are worried about the current state of their public cloud security, with 70% admitting they have experienced a breach over the past year including 93% in India, where this figure is highest worldwide. Companies that used more than one public cloud platforms reported more security incidents than their peers that used only one […] More

That’s cool, but how do you tell a Thunderbolt 1 port from a 2nd gen or 3rd gen port? Image: Intel Intel on Thursday detailed the minimum standards that accessories and cables will need to meet in order to gain Thunderbolt 4 certification. In terms of overall bandwidth, the newest version of Thunderbolt supports the […] More