Video conferencing provider Zoom has pushed out an emergency patch to address the zero-day vulnerability for Mac users that could potentially expose a live webcam feed to an attacker, launching you into a Zoom video chat youd never intended to launch. The move is a surprise reversal of Zooms previous stance, in which the company treated the vulnerability as “low risk” and defended its use of a local web server that incidentally exposed Zoom users to potential attacks.
The fix, detailed in the latest update to Zooms blog post on the vulnerability, will now “remove the local web server entirely, once the Zoom client has been updated,” to take away the ability for a malicious third party to automatically activate webcams using a Zoom link. The vulnerability arises from the fact that Zoom installs a local web server onto Mac computers that install its application, which allows the platform to bypass security measures in Safari 12 that prompt users with a dialogue box to confirm the joining of a new meeting.
In an interview with The Verge after this post was originally published, Zooms chief information security officer, Richard Farley, explained the thinking behind the companys about face today:
Ultimately, its based on based on the feedback of the people that have been following this and contributing to the discussion. Our original position was that installing this [web server] process in order to enable users to join the meeting without having to do these extra clicks — we believe that was the right decision. And it was [at] the request of some of our customers.
But we also recognize and respect the view of others that say they dont want to have an extra process installed on their local machine. So thats why we made the decision to remove that component — despite the fact that its going to require an extra click from Safari.
Although Farley maintains that the web server it had installed was “stripped down to its bare functionality” and was secure, the company chose to remove it. A further concern that has been floating around is the ability to include Zoom links inside iframes inside web pages — Farley says Zoom wont block that functionality because too many of its large enterprise customers actually use iframes in their implementation of Zooms software.
[Update] The July 9 patch to the Zoom app on Mac devices detailed earlier on our blog is now live. Details on the various fixes contained within it are explained, as well as how to update the Zoom software. See blog post here: https://t.co/56yDgoZf1U— Zoom (@zoom_us) July 9, 2019
Zoom says it used the local web server to make its service faster and easier to use — in other words, saving you a few mouse clicks. But the server also creates the rare but present possibility that a malicious website could activate your webcam by using an iframe, getting around Safaris built-in protections. In a since-patched version of Zoom, this same vulnerability could also have been used to conduct denial of service attacks on someone through continuous pings to that local web server.
Heres the update text, and Zooms directions for how to install it and/or remove the web server entirely:
The patch planned for tonight (July 9) at or before 12:00 AM PT will do the following:
1. Remove the local web server entirely, once the Zoom client has been updated – We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device.
2. Allow users to manually uninstall Zoom – Were adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the users device along with the users saved settings.
Following a Medium post yesterday from Leitschuh that first detailed the vulnerability, Zoom said it would be pushing out an update later this month that would let users save video call preferences to make it so webcams can stay off whenever joining a new call. This worked by carrying over your preferences to new calls, including ones that could be masked spam links designed to get you to click and accidentally activate your webcam.
That was not a sufficient enough fix to some critics, as Zoom was still effectively bypassing Apple security just so it could launch Zoom calls right away and without confirmation from a user. Initially, Zoom defended the web server as a “legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings,” as Farley wrote in the original version of the companys blog post.
I mean, the platform owner decides that web URLs shouldn't open other apps without an approval click–a pretty sensible security measure. Your response as a company probably shouldn't be, "let's bypass this by invisibly installing a server that's a potential security hole."
— Jason Snell (@jsnell) July 9, 2019
Leitschuh had originally made Zoom aware of the issue back in March, and he gave Zoom 90 days to respond. It “ultimately decided not to change the application functionality,” Farley wrote. So Leitschuh went public, after declining to join Zooms bug bounty program for what Zoom describes as disagreements over its non-disclosure policy.
But according to Leitschuh, Zoom CEO Eric Yuan made a “full about face” earlier today, apologizing for the response and for Zoom dragging its feet on addressing the vulnerability, Wired reports. Incidentally, Yuan made that announcement to Leitschuh and other researchers in one of the test Zoom channels they had created to prove their point about the seriousness of the vulnerability.
