Security Bytes #1: Vulns, Lists, and Zoom
May 14, 2020 • RBS
Vulnerabilities in major security software, abandoned mailing lists, and security issues in Zoom… There are many events developing and occurring within the security industry that you should be aware of and we want to capture these events as they unfold.
Everything is Vulnerable, Including Security Software
For those recovering from the aftermath of our second Vulnerability Fujiwhara, you hopefully noticed that in addition to the usual culprits of big releases, McAfee and IBM decided to join the fray. What makes them particularly interesting is that they released 24 fixes for security software between them; 11 for McAfee in their Endpoint Security (ENS) software and 11 for IBM in their QRadar SIEM. That brings the total number of vulnerabilities in security software to 7,590, or 3.3% of all disclosures.
That should concern all of us. Consider that if a security device like a SIEM or a managed vulnerability scanner such as Tenable Nessus gets compromised, the attackers not only have a wealth of knowledge about vulnerabilities in your organization, but they may be able to leverage it to directly compromise additional machines with credentials used by that software to do authenticated scanning. Ouch.
SecurityFocus / BID / Bugtraq Mail List Shuttering?
In November, 2019, Art Manion from CERT notified us that Symantec seems to have stopped updating its public BID database since July. Despite its history of 27 years it remains untouched for nearly a year, with the last entry, BID 109383 being published on July 26. A while after that, we also noticed that the venerable Bugtraq mailing list hasn’t had posts approved since February 24.
On December 2, 2019, we reached out to Symantec via Twitter about BID not being updated but they did not reply. A subsequent email was then sent to the BID contact email address asking for comment but it bounced as the “address couldn’t be found”. An email sent to the Bugtraq list admin also bounced. However, our third email that was sent to the webmaster didn’t bounce, but we honestly aren’t hopeful that we will receive a reply. And if you are reading this line, they did not reply by the time we published this blog.
In regards to Bugtraq, the venerable Bugtraq mailing list was created in November, 1993 by Scott Chasin, and became a defacto place to disclose vulnerabilities for many years. After Chasin, Elias Levy took over list moderation duties until 2001 and during his tenure, the list transitioned to SecurityFocus. Then in August, 2002, Symantec acquired SecurityFocus and Symantec’s threat analysts took over in subsequent years.
Since inception, Bugtraq has produced almost 80,000 posts with 776 in July, 2001 as the highest traffic month. Given the history of the list and the value it has brought to the community, RBS sincerely hopes that Symantec will pass the torch to someone else willing to continue its legacy.
Zoom vs Webex Follow-up
Zoom, ZOOM, zoom. Most likely everyone is familiar with the security and privacy issues affecting Zoom and it’s hard not to. These days, every publication and security researcher has offered their “hot take” on the state of Zoom and whether it’s safe to use – including us.
For an extremely comprehensive analysis on Zoom’s security and privacy issues, check out our prior blog. For those who are knowledgeable on the topic, you may have noticed that despite the coverage, there haven’t been any widely adopted suggestions on an alternative product. Perhaps the main reason for this is that many alternative products suffer from the same kind of vulnerabilities and issues, or are simply not well-known.
People have been asking us which video conference app is “safer”, but the answer is dependent on your organization’s risk profile. While assessing and counting vulnerabilities, be careful that you don’t conflate Zoom’s vuln count. For those researching “Zoom”, you will want to base your decisions on “Zoom.us”. But be aware that there is “ZOOM International” (notice the all-caps) which has an entirely different logo and headquarters, with its own set of distinct vulnerabilities. There are also many other vendors out there using “zoom” in some of their products which can make assessment tricky.
But the good news is that our data provides valuable insights to arrive at a decision. Here is a quick snippet of vulnerabilities disclosed in 2020 between Zoom.us and its predecessor, Webex:
- Zoom.us – 5 vulnerabilities in 2020, with 3 being disclosed in April.
- Webex – 7 vulnerabilities in 2020, with 2 being disclosed in April.
We have already seen many organizations defaulting back to Webex due to their concerns over Zoom amid the media frenzy. However, some organizations making this switch may not be aware that Webex also has its own glaring security concerns. Out of the vulnerabilities disclosed in 2020, the highest CVSS score was 9.3 and similarly to Zoom, Webex had its own version of Zoombombing.
Like we mentioned in our Zoom article, organizations should take a risk-based approach in choosing the right product. Recently, Zoom announced that they acquired Keybase to work towards “truly private” end-to-end encryption. But until that project is completed current users will have to settle for AES-GCM with 256-bit keys. If your organization is still unsure on which video conference platform to use, the NSA released a set of guidelines on requirements it should meet. But whatever you do, make sure you actually do your research.