The Zoom zero-day hit. Then, Forescout Researchers were curious enough to venture forth to the emergency web conference of Zoom Video Communications, in which Zoom CEO Eric Yuan led his organization through its incident response to an uncomfortable Remote Code Execution (RCE) bug in its enterprise software.

The Zoom MacOS client vulnerability was interesting: It allowed any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission, perform denial-of-service, and automagically re-install the app. Apple has since silently removed affected applications from up-to-date devices by utilizing the Malware Removal Tool. Assetnote researchers discovered similar RCE product security issues and also pointed out the impact across Zoom's white label partner supply chain.

Zoom's Technology Challenge: Product Security Control

Behind the scenes, the challenge faced by Zoom neatly illustrated the challenges of maintaining leadership, architectural vision and product security control while developing apps and tools across many platforms. So many business apps. So many platforms. So many variants.

Sometimes, Technology and Financial Services companies share the same headache. Just as today's Financial Services CISOs must endure the maintenance of countless internally-built applications, modern code-developing Technology firms like Zoom work to extend product security visibility - but the struggle is real. In this case, the surprise came from Zoom's native Mac app.

The Supply Chain

'So what' if only Mac users were affected? There are 100 million Macs and countless enterprises use them. And the backstory provides an interesting supply chain threat model at a scale that just keeps getting bigger. Further supply chain challenges affect Zoom apps and its remarkable application capabilities through its partner program. At worst, any partner supply chain resembles how risk transferred from Business Associates (BAs) leads to breach in healthcare, and how partner software bundling exposes a broader application attack surface for suppliers like HP, Dell and Lenovo. Supply chain issues go both upstream and downstream, and they're hard to manage.

Sometimes Looks Like Magic

In the meantime, the situation keeps getting weirder. 'If any good technology is sufficiently indistinguishable from magic, some of the devices made by Zoom partners are definitely magic' said one Forescout Researcher. Many operating systems, many addresses, infinity features and -enabled components from an array of manufacturers. The world is changing on us, one thing at a time.

Introducing Forescout SPT VR Zoom: Practicable, Policy-Led Orchestration

That backstory is how Forescout Research selected this month's Security Policy Template (SPT) in order to demonstrate practicable orchestration on the Forescout platform. This time, we aimed to demonstrate an elegant, policy-led orchestration as a simple SPT in response to the Zoom issue. Overall, orchestration-leading security policy templates can be adapted to find the gaps between vulnerable and patched devices across the data center, cloud and campus.

Research Discussion

Later, after having participated and delivered their assorted responses, Forescout Researchers heralded the arrival of their Zoom T-shirt, which they would later share in their Research Labs next to the Forescout Family /ICS trophy case. Overall, they were impressed by the Zoom CEO's incident response and resulting positive narrative.

Forescout Product Content Updates

The security policy for SPT VR Zoom is a nice takeaway for Forescout customers. Also, due to the complicated Zoom Supply Chain, we released SPT VR RingCentral Meetings, which addresses the same issue in a white-label version of the same technology: