Today a couple vulnerabilities were announced in Zoom, the popular work-from-home conferencing app. Hackers can possibly exploit these to do evil things to you, such as steal your password. Because of the COVID-19, these vulns have hit the mainstream media. This means my non-techy friends and relatives have been asking about it. I thought I'd write up a blogpost answering their questions.
The short answer is that you don't need to worry about it. Unless you do bad things, like using the same password everywhere, it's unlikely to affect you. You should worry more about wearing pants on your Zoom video conferences in case you forget and stand up.
Now is a good time to remind people to stop using the same password everywhere and to visit https://haveibeenpwned.com to view all the accounts where they've had their password stolen. Using the same password everywhere is the #1 vulnerability the average person is exposed to, and is a possible problem here. For critical accounts (Windows login, bank, email), use a different password for each. (Sure, for accounts you don't care about, use the same password everywhere, I use 'Foobar1234'). Write these passwords down on paper and put that paper in a secure location. Don't print them, don't store them in a file on your computer. Writing it on a Post-It note taped under your keyboard is adequate security if you trust everyone in your household.
If hackers use this Zoom method to steal your Windows password, then you aren't in much danger. They can't log into your computer because it's almost certainly behind a firewall. And they can't use the password on your other accounts, because it's not the same.
Why you shouldn't worry
The reason you shouldn't worry about this password stealing problem is because it's everywhere, not just Zoom. It's also here in this browser you are using. If you click on file://hackme.robertgraham.com/foo/bar.html, then I can grab your password in exactly the same way as if you clicked on that vulnerable link in Zoom chat. That's how the Zoom bug works: hackers post these evil links in the chat window during a Zoom conference.
It's hard to say Zoom has a vulnerability when so many other applications have the same issue.
Many home ISPs block such connections to the Internet, such as Comcast, AT&T, Cox, Verizon Wireless, and others. If this is the case, when you click on the above link, nothing will happen. Your computer till try to contact hackme.robertgraham.com, and fail. You may be protected from clicking on the above link without doing anything. If your ISP doesn't block such connections, you can configure your home router to do this. Go into the firewall settings and block "TCP port 445 outbound". Alternatively, you can configure Windows to only follow such links internal to your home network, but not to the Internet.
If hackers (like me if you click on the above link) gets your password, then they probably can't use use it. That's because while your home Internet router allows outbound connections, it (almost always) blocks inbound connections. Thus, if I steal your Windows password, I can't use it to log into your home computer unless I also break physically into your house. But if I can break into your computer physically, I can hack it without knowing your password.
The same arguments apply to corporate desktops. Corporations should block such outbound connections. They can do this at their gateway firewall. They can also push policy to all the Windows desktops, so that desktops can only log into local file servers instead of remote ones. They should block inbound connections to this protocol. They should consider using two-factor authentication. If they follow standard practices, they have little to worry about.
If your Windows password is the same as your email password, then you have a potential problem. While I can't use it to hack your Windows desktop computer, I can use it to hack your email account. Or your bank account. Or your Amazon.com account.
What you should do to protect yourself
By far the most important thing you should do to protect yourself from Internet threats is to use a different password for all your important accounts, like your home computer, your email, Amazon.com, and your bank. Write these down on paper (not a file on your computer). Store copies of that paper in a safe place. I put them in a copy of the book Catcher in the Rye on my bookshelf.
Secondly, be suspicious of links. If a friend invites you to a Zoom conference and says "hey, click on this link and tell me what you think", then be suspicious. It may not actually be your friend, and the link may be hostile. This applies to all links you get, in applications other than Zoom, like your email client. There are many ways links are a threat other than this one technique.
This second point isn't good advice: these technologies are designed for you to click on links. It's impossible to be constantly vigilant. Even experts get fooled occasionally. You shouldn't depend upon this protecting you. It's like social distancing and the novel coronavirus: it cuts down on the threat, but doesn't come close to eliminating it.
Make sure you block outbound port 445. You can configure Windows to do this, your home router, and of course, your ISP may be doing this for you.
Consider using two-factor authentication (such as SMS messages to your mobile phone) or password managers. Increasingly websites don't manage username/passwords themselves, but instead use Google, Facebook, or Twitter accounts as the login. Pick those in preference to creating a new password protected account. Of course, this means if somebody tricks you to reveal your Google/Facebook/Twitter password you are in trouble, but you can use two-factor authentication for those accounts to make that less likely.
Why this hack works
You are familiar with web addresses like https://google.com/search?q=foobar. The first part of this address, https:// says that it's a "secure hypertext protocol" address.
Other addresses are possible. One such address is file:// as in the example above. This tells the computer to Microsoft Windows "file server" protocol. This protocol is used within corporate networks, where desktops connect to file servers within the corporate network. When clicking on such a link, your computer will automatically send your username and encrypted password (sic) to log into the file server.
The internal corporate network is just a subset of the entire Internet. Thus, instead of naming servers local to the corporate network, the links can refer to remote Internet servers.
Nobody asks you for your password when you click on such links, either in this webpage, an email, or in Zoom chat. Instead, Windows is supplying the encrypted password you entered when you logged onto your desktop.
The hacker is only stealing the encrypted form of the password, not the original password. Therefore, their next step is to crack the password. This means guessing zillions of possible passwords, encrypting them, and seeing if there's match. They can do this at rates of billions of guesses per second using specialized hardware and software on their own computers.
That means weak passwords like "Broncos2016" will get cracked in less than a second. But strong passwords like "pUqyQAM6GzWpWEyg" have trillions times a trillion combinations, so that they can't be guessed/cracked in a billion years, even by the NSA. Don't take this to mean that you need a "strong password" everywhere. This becomes very difficult to manage. Instead, people choose to use password managers or two-factor authentication or other techniques.
Note that on Windows, if the prefix is missing, it is assumed to be "file:", so the links may appear as //hackme.robertgraham.com/foo/bar.html or \\hackme.robertgraham.com\foo\bar.html.
Is this overhyped?
Lots of people are criticizing this story as being overhyped. I'm not sure it is. It's one of those stories that merits publication, yet at the same time, not the widespread coverage for the mainstream. It's spread further than it normally would have because of all the attention on the pandemic and work-from-home.
I don't know if Zoom will "fix" this bug. It's a useful feature on corporate conferences, to point to files on corporate servers. It's up to companies (and individuals) to protect themselves generally against this threat, because it appears in a wide variety of applications, not just Zoom.
What about the other vuln?
Two vulns were announced. The one that's gathered everyone's attention is the "stealing passwords" one. The other vuln is even less dangerous. It allows somebody with access to a Mac to use the Zoom app to gain control over the computer. But if somebody had that much control over your Mac, then they can do other bad things to it.
In response to this news story, the thing you need to worry about is wearing pants, or making sure other household members wear pants. You never know when the Zoom videoconferencing camera accidentally catches somebody in the wrong pose. Unless you are extremely paranoid, I don't think you need to worry about this issue in particular.