Security Bulletin | Zoom.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
ISO/IEC certification and SOC 2 + HITRUST requirements. Zoom Meetings, Zoom Phone, Zoom Chat, Zoom Rooms, and Zoom Webinar are now. Zoom’s SOC 2 + HITRUST report provides a transparent look at the controls in place that protect the security and availability of the Zoom. Therefore, the customer will have to download any recorded meetings prior to Zoom responds to incidents as defined within our SOC2 report available upon.
 
 

– Legal resources | Zoom

Source : Reported by the Zero Day Initiative. Description : The Zoom Client for Meetings chat functionality was susceptible to Zip bombing attacks in the following product versions: Android before version 5. This could lead to availability issues on the client host by exhausting system resources. This can occur if the receiving user switches to a non-chat feature and places the host in a sleep state before the sending user explodes the messages.

Source : Reported by Olivia O’Hara. Description : A vulnerability was discovered in the Keybase Client for Windows before version 5. In versions prior to 5. Description : The Zoom Client for Meetings before version 5.

Description : A vulnerability was discovered in the products listed in the “Affected Products” section of this bulletin which potentially allowed for the exposure of the state of process memory.

Zoom has addressed this issue in the latest releases of the products listed in the section below. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.

Description : The Keybase Client for Windows before version 5. A malicious user could upload a file to a shared folder with a specially crafted file name which could allow a user to execute an application which was not intended on their host machine. If a malicious user leveraged this issue with the public folder sharing feature of the Keybase client, this could lead to remote code execution.

Keybase addressed this issue in the 5. Description : The Keybase Client for Android before version 5. Zoom addressed this issue in the 5. This could allow meeting participants to be targeted for social engineering attacks. This could lead to a crash of the login service. Source : Reported by Jeremy Brown. This could lead to remote command injection by a web portal administrator.

Description : The network address administrative settings web portal for the Zoom on-premise Meeting Connector before version 4. Description : The network proxy page on the web portal for the Zoom on-premise Meeting Connector Controller before version 4.

This could allow a standard user to write their own malicious application to the plugin directory, allowing the malicious application to execute in a privileged context. Description : During the installation process for all versions of the Zoom Client for Meetings for Windows before 5. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation. Description : A user-writable application bundle unpacked during the install for all versions of the Zoom Plugin for Microsoft Outlook for Mac before 5.

In the affected products listed below, a malicious actor with local access to a user’s machine could use this flaw to potentially run arbitrary system commands in a higher privileged context during the installation process. Description : A user-writable directory created during the installation of the Zoom Client for Meetings for Windows version prior to version 5.

This would allow an attacker to overwrite files that a limited user would otherwise be unable to modify. This could lead to remote code execution in an elevated privileged context.

Description : A heap based buffer overflow exists in all desktop versions of the Zoom Client for Meetings before version 5.

This Finding was reported to Zoom as a part of Pwn20wn Vancouver. The target must have previously accepted a Connection Request from the malicious user or be in a multi-user chat with the malicious user for this attack to succeed. The attack chain demonstrated in Pwn20wn can be highly visible to targets, causing multiple client notifications to occur.

Zoom introduced several new security mitigations in Zoom Windows Client version 5. We are continuing to work on additional measures to resolve this issue across all affected platforms. The vulnerability is due to insufficient signature checks of dynamically loaded DLLs when loading a signed executable. An attacker could exploit this vulnerability by injecting a malicious DLL into a signed Zoom executable and using it to launch processes with elevated permissions.

Description : A vulnerability in how the Zoom Windows installer handles junctions when deleting files could allow a local Windows user to delete files otherwise not deletable by the user.

The vulnerability is due to insufficient checking for junctions in the directory from which the installer deletes files, which is writable by standard users.

A malicious local user could exploit this vulnerability by creating a junction in the affected directory that points to protected system files or other files to which the user does not have permissions.

Upon running the Zoom Windows installer with elevated permissions, as is the case when it is run through managed deployment software, those files would get deleted from the system. Zoom addressed this issue in the 4. Skip to main navigation. April 20, PDF Version. These include new features, improved transparency and documentation, enhanced practices, and a measurement plan.

Learn more about the outcomes here. Achievement of the Cyber Essentials Plus certification. Learn more about this certification here. With this PA, the entire Zoom for Government platform will be available for use for those organizations in need of IL4-authorized solutions.

Learn more about this authorization here. Common Criteria Certification. Learn more about the certification here. Learn more here. Additionally, Zoom offers bespoke solutions for specific audiences across industries and locations, such as: Zoom X powered by Telekom. Zoom and Deutsche Telekom committed to developing a joint solution specifically for the German market called Zoom X powered by Telekom, which combines the experience customers love from Zoom with the trusted network and service delivered by Deutsche Telekom.

Zoom for Government. Zoom for Government, which is designed for U.

– Zoom soc 2 report download

Solution for analyzing petabytes of security telemetry. Threat and fraud protection for your web applications and APIs. Solutions for each phase of the security and resilience life cycle. Solution to modernize your governance, risk, and compliance function with automation.

Solution for improving end-to-end software supply chain security. Data warehouse to jumpstart your migration and unlock insights. Services for building and modernizing your data lake. Run and write Spark where you need it, serverless and integrated. Insights from ingesting, processing, and analyzing event streams.

Solutions for modernizing your BI stack and creating rich data experiences. Put your data to work with Data Science on Google Cloud. Solutions for collecting, analyzing, and activating customer data. Solutions for building a more prosperous and sustainable business. Data from Google, public, and commercial providers to enrich your analytics and AI initiatives.

Accelerate startup and SMB growth with tailored solutions and programs. Get financial, business, and technical support to take your startup to the next level. Explore solutions for web hosting, app development, AI, and analytics. Build better SaaS products, scale efficiently, and grow your business. Command-line tools and libraries for Google Cloud.

Managed environment for running containerized apps. Data warehouse for business agility and insights. Content delivery network for delivering web and video. Streaming analytics for stream and batch processing. Monitoring, logging, and application performance suite. Fully managed environment for running containerized apps. Platform for modernizing existing apps and building new ones.

Unified platform for training, running, and managing ML models. Single interface for the entire Data Science workflow. Options for training deep learning and ML models cost-effectively. Custom machine learning model development, with minimal effort. Sentiment analysis and classification of unstructured text. Speech recognition and transcription across languages. Language detection, translation, and glossary support. Video classification and recognition using machine learning.

Custom and pre-trained models to detect emotion, text, and more. Lifelike conversational AI with state-of-the-art virtual agents. API Management. Manage the full life cycle of APIs anywhere with visibility and control. API-first integration to connect existing data and applications. Solution to bridge existing care systems and apps on Google Cloud.

No-code development platform to build and extend applications. Develop, deploy, secure, and manage APIs with a fully managed gateway. Serverless application platform for apps and back ends. Server and virtual machine migration to Compute Engine. Compute instances for batch jobs and fault-tolerant workloads. Reinforced virtual machines on Google Cloud. Dedicated hardware for compliance, licensing, and management. Infrastructure to run specialized workloads on Google Cloud.

Usage recommendations for Google Cloud products and services. Fully managed, native VMware Cloud Foundation software stack. Registry for storing, managing, and securing Docker images. Container environment security for each stage of the life cycle.

Solution for running build steps in a Docker container. Containers with data science frameworks, libraries, and tools. Containerized apps with prebuilt deployment and unified billing. Package manager for build artifacts and dependencies.

Components to create Kubernetes-native cloud-based software. IDE support to write, run, and debug Kubernetes applications. Platform for BI, data applications, and embedded analytics. Messaging service for event ingestion and delivery. Service for running Apache Spark and Apache Hadoop clusters. Data integration for building and managing data pipelines. Workflow orchestration service built on Apache Airflow. Service to prepare data for analysis and machine learning. Intelligent data fabric for unifying data management across silos.

Metadata service for discovering, understanding, and managing data. Service for securely and efficiently exchanging data analytics assets. Fully managed, PostgreSQL-compatible database for demanding enterprise workloads. Distribution or disclosure of any portion of the Report or any information or advice contained therein to persons other than Company is prohibited, except as provided below. Company agrees to allow Recipient to access to the Report on the condition that Recipient reads, understands, and agrees to all of the following:.

By entering your email you agree to be bound to the terms of this Agreement. If you are entering into this Agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.

Close View this page in your language? All languages Choose your language. Trust Open and close the navigation menu. Region Global. Industry All. Download SOC 2. What is a SOC 2 Audit? Security 2. Availability 3. Processing Integrity 4. Confidentiality 5.

Privacy 5. Why is SOC 2 Important? These are common questions for companies starting on their journey to SOC 2 compliance. Controls and attestation reports are unique to every organization. Each company designs its own controls to comply with its Trust Services Criteria. Here are the terms auditors use to describe the audit results: Unqualified: The company passed its audit. Qualified: The company passed, but some areas require attention.

Adverse: The company failed its audit. It answers the question: are the security controls designed properly?

SOC 2 Type II reports assess how those controls function over a period of time, generally months. It answers the question: do the security controls a company has in place function as intended? Sometimes it might also happen that some of the vendors provide a combination of both. Not just this, but SOC 3 reports too exist. The differences are vast and are not evident to those people for whom Systems and Organizational Control is an unfamiliar domain. What does a SOC require, and should I pursue one?

There was a need for a more comprehensive system of evaluation to be conducted, which would be more than just an audit of financial statements. The upgrades include the attestation issued by the company that confirms that the described controls are there and are fully functional. Public companies are also accountable to the Sarbanes—Oxley Act of ; a record-keeping and financial information disclosure standards law.