As someone who has recently adopted Zoom and who has to justify this decision quite a lot, my question is where are all the exploits? If any of this is easily exploitable there would be such a shitstorm about it. Considering the current usage everybody would know about it.
To me, these look like things that could be used for local escalation or MITM attacks. This is not good but frankly, for most of Zooms use cases, it's not an issue. The only frightening thing is the turbojpeg.dll one. A POC that leads to an RCE or even a crash would be devastating for Zoom, especially considering the amount of edu setups that don't enforce passwords even now.
IDK, for me and the edu organization I'm responsible for Zoom has been a great offering (especially considering the pricing they were able to offer by default for edu and after very little negotiation) but we are actively looking at teams as a successor for the next semester. Zoom has had 3 killer features over teams (virtual background, easy dial-in, no effort guests) and all of them have gone away now with the recent teams changes. If teams finally gets customer skype calling figured out Zoom will most likely be done in the edu field because that's quite a big part of switching to teams for an all out integrated comms solution, especially since you can't use your office 365 account for consumer skype.
There are exploits though - for example, the lowest barrier to exploit vulns like 'zoom bombing' are being exploited quite often.
Others, like perhaps an RCE, are not being seen. This is for a lot of reasons.
* Many are being found by whitehats/ researchers, so by the time they're made public an attacker is already playing catch-up - it can take days or weeks to build a good exploit chain, so starting from "A patch is out" or "The vuln is disclosed" is not encouraging.
* In general, exploitation of vulnerabilities is actually quite rare. Patching practices, mitigation strategies, etc, have radically improved over the last decade. It isn't that the attackers can't do it, but the majority of attacks will just phish you, install malware, and try to make money the simplest way possible.
Does that mean you accept that risk of vulnerable software? These are not strong mitigating factors and are mostly about risk profiling and motivation. So that decision is up to you.
To me, these look like things that could be used for local escalation or MITM attacks. This is not good but frankly, for most of Zooms use cases, it's not an issue. The only frightening thing is the turbojpeg.dll one. A POC that leads to an RCE or even a crash would be devastating for Zoom, especially considering the amount of edu setups that don't enforce passwords even now.
IDK, for me and the edu organization I'm responsible for Zoom has been a great offering (especially considering the pricing they were able to offer by default for edu and after very little negotiation) but we are actively looking at teams as a successor for the next semester. Zoom has had 3 killer features over teams (virtual background, easy dial-in, no effort guests) and all of them have gone away now with the recent teams changes. If teams finally gets customer skype calling figured out Zoom will most likely be done in the edu field because that's quite a big part of switching to teams for an all out integrated comms solution, especially since you can't use your office 365 account for consumer skype.