For those unaware, Zoom recently has seen a sudden surge in popularity and usage, as people are forced to work and study from home amidst the coronavirus (COVID-19) pandemic. Spotted by cybersecurity researchers, Mitch (@_g0dmode) and Matthew Hickey (@HackerFantastic), the Zoom client for Windows is vulnerable to a high-risk Universal Naming Convention (UNC) injection vulnerability that enables hackers to steal a user’s login name and their NTLM password hash every time someone clicks on a link within messages.
— Hacker Fantastic (@hackerfantastic) March 31, 2020 Apparently, Zoom is automatically converting all URLs sent via text messages into clickable links, including UNC paths. Currently, it is unable to discriminate between actual URLs and Windows networking UNC paths, converting all of them into hyperlinks all together. “When a user clicks on a UNC path link, Windows will attempt to connect to a remote site using the SMB file-sharing protocol to open the remote cat.jpg file,” explained BleepingComputer. By default, Windows sends the user’s login name and NT Lan Manager (NTLM) credential hash to the malicious server, which can then be easily decrypted. Interestingly, similar behavior was noticed by Mohamed A. Baset on macOS but it required more user interaction. Hickey has notified Zoom of the issue. “Zoom should not render UNC paths as hyperlinks is the fix, I have notified Zoom as I disclosed it on Twitter”, Hickey said. Zoom in a statement to BleepingComputer said that they are working on a fix to address the UNC issue. “At Zoom, ensuring the privacy and security of our users and their data is paramount. We are aware of the UNC issue and are working to address it,” Zoom told BleepingComputer. You can protect yourself against this security vulnerability as explained by BleepingComputer. All you need to do is, go to Group Policy Editor > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers, and select Deny all. With changing the policy to Deny all, Windows will no longer automatically send your NTLM credentials to a remote server when accessing a share. If you are a Windows 10 Home user and don’t have access to Group Policy Editor, go to the Registry Editor, then HKEY_LOCAL_MACHINE\SYSTEM\C urrentControlSet\Control\Lsa\MSV1_0 and create a new DWORD value called RestrictSendingNTLMTraffic, giving it a value of 2. Additionally, it is also advisable not to click on links in Zoom chat windows that use backward slashes. Also, ensure that all the URLs that you click on to begin with “http” or “https”.