The modern office environment has shifted in recent years. Employees are routinely asked to collaborate with co-workers half way around the globe and be camera ready, or whatever passes for webcam ready, in order to telecommute when they are out of office. Every office laptop, tablet, or cell phone these days comes equipped with some sort of camera sensor capable of recording at HD resolution. Twenty years ago, that was not the case. Though tech conglomerates like HP had a different idea of teleconferencing to sell back in 2005 dubbed the Halo Collaboration Studio.

The Halo Studio was a collaboration between HP and Dreamworks that was used during the production of Bee Movie. Studio heads at Dreamworks thought it necessary to install the HP teleconferencing solution inside the New York office of Jerry Seinfeld, the writer of the film, as to allow him to avoid long trips to Dreamworks production offices in Los Angeles. According to the HP Halo Collaboration Studio brochure, “Halo actually pays for itself, not only by reducing travel costs, but also by encouraging higher productivity and stronger employee loyalty.” Certainly Dreamworks believed in that sales pitch for Bee Movie, because the upfront asking price left a bit of a sting.

Less of a singular machine, more of an entire dedicated room, the Halo Studio had a $550,000 asking price. It utilized three 1280×960 resolution plasma screens each fitted with a 720p broadcast camera and even included an “executive” table for six. The room lighting solution was also part of the package as the intent was to have all participants appear true to life size on the monitors. The system ran on a dedicated T3 fiber optic connection rated at 45 Mbps that connected to the proprietary Halo Video Exchange Network that gave customers access to 24×7 tech support for the small sum of $30,000 a month.

For more Retrotechtacular stories, check out Dan’s post on the Surveyor 1 documentary. It’s out of this world.

Ivanti and Zoom resolved security defects that could lead to arbitrary file writes, elevation of privilege, code execution, and information disclosure.

The post High-Severity Vulnerabilities Patched by Ivanti and Zoom appeared first on SecurityWeek.

Summary Bullets:

• New Zoom Workplace features are emblematic of the advent of agentic AI and the rise of Zoom as a competitor.
• A rapid accumulation of Workplace features provides Zoom with the challenge of drafting clear messaging regarding security and market positioning.

Earlier this month Zoom continued its steady drumbeat of enhancements to the Zoom Workplace platform with the latest round of new features. As with previous rounds, the new capabilities enable users to be more productive by saving time during their workday. However, the real headline is that the features are emblematic of the advent of agentic AI and the rise of Zoom as a competitor.

All the new features add value, but two are especially worth noting. With the Custom AI Companion add-on, AI Companion can attend meetings on a user’s behalf held on platforms from three of Zoom’s biggest rivals – Microsoft, Google, and coming soon, Cisco – and automatically transcribe, summarize, and deliver actionable follow-ups. Also with the add-on, users can connect to 16 third-party apps to complete tasks without ever leaving Zoom. For example, resolving customer support tickets with Zendesk and ServiceNow; updating project statuses, assigning tasks, and setting deadlines with Asana and Jira; and expediting recruiting, interviews, and onboarding with Workday.

A common thread running through the announced features is the latest phase of AI – agentic AI. Agentic AI stretches beyond generating content, featuring agents that perform tasks on users’ behalf. Agentic AI can act autonomously, make decisions, and take action without human intervention. It can adjust its approach based upon new information or changing circumstances. Zoom and each of its competitors are leveraging agentic AI in some shape or form.

Most significantly, the new features symbolize a profound metamorphosis taking place at Zoom. After its video meetings capability became renowned virtually overnight in the dark, nascent days of the pandemic, Zoom ignited a steady evolution of its platform. With the October 2023 introduction of Zoom AI Companion, that evolution took a sharp trajectory upward and morphed into a full-blown renaissance marked by the introduction of GenAI features. With the implementation of agentic AI capabilities – both those recently and newly introduced – Zoom has entered yet another chapter. Now, Zoom has taken an important step in that chapter with the integrations between competitor platforms and roster of third-party apps.

Zoom is converting the Workplace platform from an island of collaboration into a centralized hub connecting with external tools. With a critical mass of functionality available from within Zoom, Zoom creates much stickier relationships with users and enables them to get work accomplished much more rapidly. However, there are disadvantages to having extended functionality under one roof.

Within the last few years, Zoom experienced a security incident which made headlines, labeled ‘Zoom bombing.’ The company promptly restored trust, resolving the problem quickly and communicating to the public what types of security measures it had in place. Today, with Zoom Workplace linking into other tools, the issue of security becomes top of mind again. Zoom needs to resurrect the strong security message it previously drafted and remind users what safeguards are in place to reduce the chance of a major breach.

The rapid accumulation of features on the platform over an abbreviated period has resulted in a mosaic of capabilities. Zoom needs to craft a clear ‘identity’ for its suite of tools and send an unambiguous positioning message to the market. Cisco provides a good lead for Zoom to follow. In communicating what its Webex Suite stands for Cisco has erected three pillars: hybrid work, customer experience, and workspaces. Zoom needs to decide what its pillars are and mold a message accordingly.

By continuing to regularly augment the platform while drafting strong messaging regarding security and market positioning, Zoom will be poised to continue its ascent.

As businesses pivot towards multiple UCaaS platforms, the latest Exoprise monitoring solution offers deep application and network intelligence to support a modern workforce with a great digital experience. Waltham, MA – October 12, 2022 – Exoprise, a leader in Digital Experience Monitoring (DEM) solutions, announced that its latest Service Watch release enables enterprise IT and Unified Communications…

The post Exoprise Expands Network Visibility into Microsoft Teams and Leading UCaaS Applications appeared first on Exoprise.

An investigation of the clickless attack surface for the popular Zoom video conferencing solution revealed two Zero-Day Bugs (previously unknown security vulnerabilities) that could be exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory.

Natalie Silvanovich of Google Project Zero, who discovered and reported the two flaws last year, said the issues affect both Zoom clients and Media Router (MMR) servers that relay audio and video content between clients on on-premises deployments.

The flaws have since been fixed by Zoom as part of updates released on November 24, 2021.

The goal of a no-click attack is to stealthily take control of the victim’s device without requiring any user interaction, such as clicking on a link.

While exploit features vary depending on the nature of the vulnerability exploited, a key feature of click-free hacks is their ability to leave no trace of malicious activity, making them very difficult to detect.

Two defects identified by Project Zero:

• CVE-2021-34423 (CVSS score: 9.8) is a buffer overflow vulnerability that can be used to crash a service or application or execute arbitrary code.
• CVE-2021-34424 (CVSS score: 7.5) is a process memory disclosure error that can be used to potentially obtain information about arbitrary areas of product memory.

While analyzing real-time transport protocol (RTP) traffic used to deliver audio and video over IP networks, Silvanovich discovered that it was possible to manipulate the contents of a buffer that supports playback of various types of data by sending a malformed chat message that causes the MMR client and server to crash.

Additionally, the lack of a NULL check that is used to detect the end of a string allowed for a memory leak when joining a Zoom meeting through a web browser.

The researcher also attributed the lack of memory corruption to the fact that Zoom did not enable ASLR, i.e., address space layout randomization, a security mechanism designed to increase the difficulty of executing buffer overflow attacks.

“The absence of ASLR in the Zoom MMR process greatly increases the risk that an attacker can compromise it,” Silvanovich said. “ASLR is perhaps the most important defense against memory corruption exploits, and the effectiveness of most other defenses at some level depends on the fact that it is disabled in the vast majority of programs.”

While most videoconferencing systems use open source libraries such as WebRTC or PJSIP to implement multimedia communications, Project Zero has identified Zoom’s use of proprietary formats and protocols, as well as high license fees (nearly $1,500) as barriers to research. in the field of security.

“Closed source software creates unique security challenges, and Zoom can do more to make its platform available to security researchers and others who want to evaluate it,” Silvanovich said. “While Zoom Security helped me access and set up the server software, it’s not clear if support is available for other researchers, and software licensing was still expensive.”

The post Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers Details Google appeared first on OFFICIAL HACKER.