Zoom, a video conferencing provider, launched an unintended zoom video chat with an emergency patch to address a zero-day vulnerability that could expose Mac users' live webcam feeds to attackers. The move dramatically reversed Zoom's previous stance, which the company considered as a "low risk" and advocated the use of a local web server that exposes users to potential attacks.
The fixes detailed in the latest update to Zoom's blog post on this vulnerability include "Completely remove local web server after Zoom client has been updated" to remove the ability for malicious third- I will. Use your zoom link to activate your webcam. The vulnerability results because Safari allows Safari to circumvent security measures that require Zoom to check when a user joins a new conference using a dialog box by installing a local web server on the Mac computer where they install their applications.
[Update] Zoom app patch for Mac devices on July 9 is available in previous versions of your blog. Describes how to update your zoom software, as well as details of the various modifications it contains. For more information, please see the following blog post. https://t.co/56yDgoZf1U
– Zoom (@zoom_us) July 9, 2019
Zoom makes services faster and easier to use. Use words to reduce few mouse clicks. However, the local web server uses iFrame to create a rare but present possibility for malicious websites to activate the webcam using Safari's built-in protection. In subsequent versions of the scaled-down version, this same vulnerability could be used to perform denial-of-service attacks against someone through persistent pings to their local Web servers.
Update text and zooming instructions on how to completely remove the Web server.
Patches scheduled for tonight (July 9) before 12:00 AM PT do the following:
1. Once the zoom client is updated, completely remove the local web server. – On a Mac device, disable the local web server. After the patch is deployed, Mac users are prompted to update the client in the zoom user interface (UI). When the update is complete, the local Web server is completely removed from the device.
2. Allow users to manually remove zoom – Added a new option to manually or completely remove the zoom client by including a local web server in the zoom menu bar. When the patch is deployed, a new menu option will appear called "Remove Zoom." Clicking this button will completely remove the zoom from your device along with your saved settings.
Security specialist Jonathan Leitschuh said at the beginning of the month that by announcing the vulnerability at the beginning of the month, he will save the video call preferences and make the webcam available for every new call. This was possible by sending preferences to new currencies, including users who could be masked spam links designed to attract clicks and activate the webcam by mistake.
Zoom is not a fix for some critics because it can bypass Zoom calls right away and immediately initiate a Zoom call without prompting the user. Initially, Zoom defended the Web server as a "legitimate solution to poor user experience." Richard Farley, Chief Information Security Officer at Zoom, said at the initial user conference, "The version of the company blog post.
I mean the platform owner decides that the web URL should not open other apps without an approval click. Your response as a company is to "circumvent it by installing a server that is a potential security hole invisibly" [JointSnellZoomknewaboutthisprobleminMarchandrespondedtoZoomfor90days"WedecidednottochangeapplicationfunctionalitysoLeitschuhreleasedafterrefusingtoparticipateinZoom'sbugbountyprogramforwhatZoomdescribedasdisagreeingaboutpoliciesthathedidnotrelease
However, according to Leitschuh, Zoom CEO Eric Yuan apologized for the response and apologized to Zoom for fixing the vulnerability. Wired Report.
Incidentally, Yuan has most recently announced on one of the test magnifier channels that Leitschuh and other researchers have created to demonstrate their point about the severity of this vulnerability.
The conversation with the CEO of the & # 39; Party Chat & # 39; @ zoom_us was very productive. This #vulnerability was like a face from the previous location.
Jonathan Leitschuh (19459028) July 9, 2019
July 9 at 5:52 pm ET ET Removing the local web server for Mac users Zoom updates are now available.