I work at a bank, and we have strict rules about what data can be logged (and what data can never be logged), to avoid accidental information disclosure if somebody ever gets our logs (which, I assume, would be about as hard to do as getting somebody’s password database, which happens all the time).
So, while that’s not about remote code execution, I will agree that what is actually logged in this SQLite database could be important information. But I would expect a little more than “OMG! They’re logging to a SQLite database, and you could log bad things to a SQLite database!”
* Zoom uses SQLite to store message history and other remotely-controllable data
I've seen enough. I don't need to see the entire chain - which in this case would be that the message history queries specifically are built in an unsafe way - to know that Zoom is software that I absolutely should not trust, and that I do not want to have installed on any of my endpoints if I want the other data on them to remain secure.
Unfortunately, I do not have a choice. I am working with two telehealth providers who use Zoom. So the next best thing is to be as angry as possible about it. The hiring of Alex Stamos is a good move but we need to keep the pressure on.
Put another way, I work for an EU-based fintech. We have similar guidelines (plus a strict log rotation policy, partially due to GDPR but also for many other reasons), but i'm pretty sure our head of security would shit bricks if he found out that our logging framework had an RCE.
Any head of security would shit bricks if they discovered software being used across the company that had a remote code execution vulnerability, but the blog post doesn’t actually identify an RCE. It points to some code that hypothetically could be the basis for an RCE.
Zoom isn’t open source. The blog post doesn’t actually have the entire call chain for the potentially problematic code. It doesn’t determine if the strings have been sanitized before the string concatenation, or if they come from a known limited set, etc. It’s entirely possible that the concatenation is in the lowest levels of some enterprise-specific framework code that is guaranteed to only be called after relevant safety checks have been run.
We have a blog post that points to unconnected facts, says “I can imagine evil ways to connect these facts, but I’m not going to spend any more time determining if my concerns actually exist in the rest of the codebase.” We can decide how uncomfortable that makes each of us. I will say that SQLite is used in the most surprising places. I’m almost certain it’s used by whatever browser you’re using right now. If you refuse to use software that relies on SQLite until you can verify that every call site is safe, you’re going to lose a lot of sleep.
Of course, I’m influenced by my background. I still see stories about software installed without management knowledge, and while I remember working at places with lax enough policies that was possible, I haven’t had that kind of access on my work computers since before the Sony Pictures hack in 2014. I’m not in finance, but I’ve written software for people who are. In the US, financial compliance departments care about the software traders and financial advisers use for their jobs, and any software installed on the same computers (this was an issue at one of my jobs because our software generally wasn’t on the approved list, so our customers had to have it installed on a separate computer for unapproved software; and that was apparently common practice in the industry). I don’t lose any sleep when my kids use Zoom on their school-provided laptops, but I personally can’t use it for work purposes because my work laptop is locked down, and I expect it to be locked down.
If message history goes into that database and is not sanitised properly there's a good chance this gives other conference participants RCE.