Zoom users can share individual windows on their own device. Other windows can briefly flicker and reveal their contents – under Windows and Linux.
The video conferencing software Zoom enables users to share the contents of their screen with other conference participants. The entire screen, one or more application windows or just a selected area of the screen can be selected for sharing. Under certain conditions, however, other screen content that has not been approved will be transmitted.
Involuntary disclosure occurs when the window of the shared application is overlaid by the window of another, unshared application – on Windows, when the unshared application is opened, and on Linux, when the unshared application is closed. The unwanted display appears only for a brief moment; but if a participant records the video conference , he can rewind and study what was involuntarily shared.
We discovered the security-relevant bug penetration tester from SySS GmbH from Tübingen. They informed Zoom before Christmas. Now the usual deadline for fixing has expired, so SySS published the bug on Wednesday (CVE-2021-28133). Zoom has not yet fixed it. If you want to prevent involuntary disclosure, you should initially not open or close any other windows during active transmission.