Turns Out Zoom Is Great for Remote Work and Remote Code Execution

pcmag.com:

Since the beginning of the COVID-19 pandemic, Zoom has become an essential tool for remote workers, families, and friends to meet almost face-to-face. At the Black Hat security conference in Las Vegas, one security researcher demonstrated how he used the technology underlying Zoom and other applications to completely control a target's computer.

Ivan Fratric, a Security Researcher with Google Project Zero, began his talk by asking the audience who was excited about XML, and received what this reporter interpreted as mild enthusiasm. "When XML was young, I was a young computer science student and I wasn't excited about it back then either," said Fratric. "Fast forward two decades later I'm finally excited about XML for all the wrong reasons."

That's because Fratric was able to track down several bugs that when exploited allowed him to do all kinds of wonderfully terrible things to XMPP. What's XMPP? "Essentially an instant messaging protocol based on XML," explained Fratric. "When something is built on technology that's over two decades old, you know it's a good target for security research."

What Fratric discovered was that he could embed chunks of XMPP code, called stanzas, inside of other XMPP stanzas. He could then use a client to send a smuggled stanza within a legitimate message, have it be accepted and relayed by the intermediate server, but interpreted as two stanzas by the target's instant message client.

Fratric explained that all this was possible because, "XML is complicated and XML parsers have quirks." Those quirks being that two XML parsers can interpret the same code differently, and sometimes both do so incorrectly. Some of his attacks required two specific XML parsers that are uniquely bad when used