ICANN found a zero-day hole in Adobe Connect
It’s looking like ICANN may have found a zero-day vulnerability in Adobe Connect, until recently its default collaboration tool.
The organization on Friday announced the results of a “forensic investigation” into the bug, and said it has reported its findings to Adobe, which is now “working on a software fix to address the root cause of the issue”.
If Adobe didn’t know about it, it looks rather like ICANN — or at least the unnamed member of the security advisory committee who found it — has bagged itself a zero-day.
ICANN had previously said that the glitch “could possibly lead to the disclosure of the information shared in an ICANN Adobe Connect room”.
The review found that the only person who exploited the bug was the person who discovered and disclosed it.
AC is used not only in ICANN’s public meetings but also, I understand, in closed sessions of ICANN staff, board and committees, where secret information is most likely to be shared.
After the bug was discovered, ICANN shut off the system and started using alternatives such as WebEx, to a mixed reception.
In the absence of an immediate patch from Adobe, ICANN has been testing workarounds and said it hopes to have two working ones deployed by May 3.
This would allow the tool to come back online in time for its board workshop, GDD Summit and ICANN 62, the organization said.
If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.
In an interesting chain of events, the AC vulnerability lead to many ICANN groups using WebEx, with vulnerabilities of its own:
http://threatbrief.com/cisco-plugs-critical-hole-webex-users-urged-upgrade-asap/
I haven’t looked at previous ICANN WebEx events, but as of today, the client software is a non-vulnerable version.