Recently I pointed out in a blog post that the Zoom CEO was the VP of Engineering at Cisco who left to start a direct competitor because, according to him, he was unhappy about the speed he could operate at.
Being secure, to be frank, is about management practices much more than being devoid of flaws. How one handles a bug should be in the spotlight right now and Zoom is failing catastrophically.
Reading between the lines it looks a bit like the CEO didn’t like being told to do the right thing (follow safety processes) by Cisco management, and he allegedly saw it as an opportunity to exit and do a much easier thing — get rich doing what’s wrong, then apologize and hope for no accountability.
So let’s put a brand of business management theory to a simple product security management test.
Here is a WebEx 2020 vulnerability announcement in the Cisco format.
I’d rate that page as excellent and extremely useful to keeping users safe. It stems from the main Cisco security page, where you can easily query and sort on WebEx vulnerabilities.
Let’s now compare that level of excellence to the Zoom operation, run by the celebrated billionaire CEO.
For example I will take Patrick Wardle’s announcement (“The ‘S’ in Zoom, Stands for Security: uncovering (local) security flaws in Zoom’s latest macOS client) from March 30, 2020. Patrick kindly updated his own announcement page that “Zoom has patched both bugs in Version 4.6.9 (19273.0402)”.
Look closely and very carefully at the Zoom security updates page. This huge security news story, details about the vulnerability, announcement of the patch… none of it can be found:
This is awful. It’s a terrible page with CVE tossed in like a mixed bag. There should be far more CVE (even if only placeholders) on this page, to begin with, and they should be easily sorted and searched as well as linked to product release/fix notes.
If you pop over to the release notes for the version Patrick mentions, which aren’t even linked from this page, you won’t find the word security mentioned anywhere.
This is unbelievable levels of bad management practice. Both the security page and the release page are far below acceptable. They are truly bad.
Please, anyone, someone explain to me why these release notes don’t use the word security anywhere, let alone don’t have a CVE with details and aren’t connected to the security advisory page.
There’s really no need at this point for me to get into interesting and messy details of CVE, CWE, CVSS, etc when it’s obvious just how far below a safe baseline Zoom is operating. This should be enough already to show it’s a danger to society.
My take on this is the CEO is not enabling his security team, is not listening to his security critics, and does not yet take security seriously. I may be forced to look further.
It’s like watching a dumpster burning and hard for me to take my eyes off at this point. So let’s go just a little bit onward.
A drop down into Security: CVE-2019-13450 shows Zoom has a severity score of 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) out of 10:
Hold on to your hats everyone because… wait for it… NIST shows this vulnerability officially filed as 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), more than double Zoom’s own security site!
Here are the calculations side-by-side, which shows how Zoom ended up publishing a false score in their useless security page (Attack Complexity High, Confidentiality Low) while everyone in the world will pull an official higher risk number from NIST’s database:
There are a million more examples I could give but honestly it’s just so bad I think people need to understand that a major overhaul is due at Zoom.
I’m not saying use WebEx, but at least take a look at what they’re doing to understand just how far off the mark Zoom is from being a safe product with proper management practices.
I don’t know if any of this means the CEO has to go, just that so far everything I’m looking at from a product security perspective shows a very broken software lifecycle; substantial evidence of misleading and deceptive practices, which clearly harm customers.