看到「Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data」這篇,講 Zoom 在分享螢幕時的安全性問題,發現問題的德國資安團隊所寫的 security advisory 可以在「SYSS-2020-044.txt」這邊看到,對應的 CVE 號碼是 CVE-2021-28133。
安全問題出在,分享者要分享某個應用程式的畫面,但有可能會先分享到其他畫面,再切回來:
However, “under certain conditions” if a Zoom presenter chooses to share one application window, the share-screen feature briefly transmits content of other application windows to meeting participants, according to German-based SySS security consultant Michael Strametz, who discovered the flaw, and researcher Matthias Deeg, in a Thursday disclosure advisory (which has been translated via Google).
而目前的版本還是有一樣的問題:
The current Zoom client version, 5.5.4 (13142.0301), for Windows is still vulnerable to the issue, Deeg told Threatpost.
這個問題是去年十二月就通報了,過了三個月沒有回應,所以團隊公開出來:
Disclosure Timeline: 2020-12-02: Vulnerability reported to manufacturer 2020-12-02: Manufacturer acknowledges receipt of security advisory 2020-12-02: Manufacturer asks for more information 2020-12-03: SySS provides more information concerning the security issue 2020-12-03: Manufacturer confirms reproducing the security issue in both the Windows and the Linux client and asks further questions 2020-12-04: SySS answers open questions 2020-12-04: Manufacturer responds and will look into the reported security issue 2021-01-21: SySS asks for status update 2021-02-01: SySS asks for status update 2021-03-18: Public release of security advisory
不知道什麼時候會修正