After facing public outcry over its handling of a zero-day vulnerability in its collaboration client for Mac, the Zoom web- and video-conferencing service has rushed out an emergency patch.
The flaw (CVE-2019–13450), allows a malicious website to hijack a user’s web camera without their permission, putting at risk the 4 million workers that use Zoom for Mac. Researcher Jonathan Leitschuh explained that an outside adversary would need only to convince a user to visit a malicious website with a specially crafted iFrame embedded, which would automatically launch a Mac user into a Zoom web conference while turning on their camera.
As Threatpost previously reported, the issue exists because the default setting for creating a new meeting is the “Participants: On” option. This automatically joins an invited person to the meeting, with webcam enabled, without the person having to give permission beyond clicking the meeting link itself.
And, adding insult to injury is a persistence feature in the service.
“If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage,” explained Leitschuh.
The company initially deployed only a partial fix and was slow to respond to Leitschuh during the disclosure process, the researcher said. Once the facts around the case became public on Tuesday however, prompting extensive media coverage, Zoom changed its tune on fully addressing his concerns.
https://twitter.com/thebadbadrobot/status/1148647008896528386
“Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,” the company said on its blog Tuesday evening. “But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.”
The patch, available here, removes the local web server entirely, once the Zoom client has been updated. Also, the platform now allows users to manually uninstall Zoom.
“We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server,” the company said. “Once the patch is deployed, a new menu option will appear that says, ‘Uninstall Zoom.’ By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.”
On July 12, the company will further update the client to address the concern around enabling video on by default. First-time users who select the “always turn off my video” pop-up box will automatically have their video preference saved.
“The selection will automatically be applied to the user’s Zoom client settings and their video will be off by default for all future meetings,” the company said. “Returning users can update their video preferences and make video off by default at any time through the Zoom client settings.”
For his part, Leitschuh posted on his blog that “hopefully this patches the most glaring parts of this vulnerability. The Zoom CEO has also assured us that they will be updating their application to further protect users’ privacy.”
Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More
