[kevincox]

This is another lesson that you should always parse+serialize rather that just validate. It is much harder to smuggle data this way to exploit different parsers.

Basically the set of all messages that will satisfy your validator is far larger than the set of all messages that will be produced by your serializer.

[fsflover]

Or, it's another lesson that you should not completely trust any code but compartmentalize instead. Thanks to Qubes OS, I am still safe, since Zoom is running in a hardware-virtualized VM.

[JoshTriplett]

I'm safe as well, because I only use the web version of Zoom. Code you don't trust should always run in a sandbox, if it runs at all.

[fsflover]

This is however a very different level of sandboxing.

[JoshTriplett]

Sure, but it's much easier for most people to run things in a browser sandbox.

[jeffbee]

How is that helpful? This exploit completely replaces the Zoom software with arbitrary attacker software and it executes in your VM that has access to camera, microphone, network, and presumably screen recording. It sounds to me like the highest possible level of access and your VM is just performative.

[fsflover]

1. It will not have access to anything else than Zoom.

2. It will not have access to the camera or network, when I'm not using Zoom.

3. If I'm using a disposable VM, it's cleaned every reboot.

> and presumably screen recording

Screen recording of this VM.

[jeffbee]

How is screen recording only of Zoom itself of any use to you?

[fsflover]

If needed, I can move a presentation to that VM, or open a browser in it.

It gets a bit complicated if you want to share a screen from another VM, see https://forum.qubes-os.org/t/share-screen-of-qube-with-anoth...

[autoexec]

The real lesson is not to use Zoom. Anyone who does deserves everything they get. There have been so so many red flags that using Zoom will leak your data to 3rd parties (often in china) and compromise your security that people using it now must simply not care if it happens. So no surprise, it's happened yet again, and you can bet it will again and again in the future.

There are other options besides Zoom. They are different from Zoom, each with their own strengths and weaknesses, but they don't have example after example showing total incompetence and/or malicious intent the way Zoom does.

[lovasoa]

I am not sure this applies in this case. I don't know how Zoom's XMPP backend works, but it could very well parse and serialize and still be vulnerable. If the xml library accepts invalid 3-byte utf8 characters on parse, then its internal representation supports these characters, and I don't see why they would not be serialized just as well.

[ifratric1]

XMPP servers (including Zoom's) already parse + serialize ;)