[fsflover]

Or, it's another lesson that you should not completely trust any code but compartmentalize instead. Thanks to Qubes OS, I am still safe, since Zoom is running in a hardware-virtualized VM.

[JoshTriplett]

I'm safe as well, because I only use the web version of Zoom. Code you don't trust should always run in a sandbox, if it runs at all.

[fsflover]

This is however a very different level of sandboxing.

[JoshTriplett]

Sure, but it's much easier for most people to run things in a browser sandbox.

[jeffbee]

How is that helpful? This exploit completely replaces the Zoom software with arbitrary attacker software and it executes in your VM that has access to camera, microphone, network, and presumably screen recording. It sounds to me like the highest possible level of access and your VM is just performative.

[fsflover]

1. It will not have access to anything else than Zoom.

2. It will not have access to the camera or network, when I'm not using Zoom.

3. If I'm using a disposable VM, it's cleaned every reboot.

> and presumably screen recording

Screen recording of this VM.

[jeffbee]

How is screen recording only of Zoom itself of any use to you?

[fsflover]

If needed, I can move a presentation to that VM, or open a browser in it.

It gets a bit complicated if you want to share a screen from another VM, see https://forum.qubes-os.org/t/share-screen-of-qube-with-anoth...

[autoexec]

The real lesson is not to use Zoom. Anyone who does deserves everything they get. There have been so so many red flags that using Zoom will leak your data to 3rd parties (often in china) and compromise your security that people using it now must simply not care if it happens. So no surprise, it's happened yet again, and you can bet it will again and again in the future.

There are other options besides Zoom. They are different from Zoom, each with their own strengths and weaknesses, but they don't have example after example showing total incompetence and/or malicious intent the way Zoom does.