Zoom fixes major Mac webcam security flaw with emergency patch

Video conferencing provider Zoom has released an emergency patch to fix the zero-day vulnerability for Mac users who could potentially expose live webcam information to an attacker, launching it into a chat. Zoom video that you never intended to launch. The move is an unexpected reversal of Zoom's previous stance, in which the company treated the vulnerability as "low risk" and defended its use of a local web server that incidentally exposed Zoom users to possible attacks.

The solution, which is detailed in the latest update of the Zoom blog's publication about the vulnerability, will now "remove the local web server completely, once the Zoom client has been updated", to eliminate the capacity From a malicious third party activate the webcams using a zoom link. The vulnerability is due to the fact that Zoom installs a local web server on the Mac computers that install its application, which allows the platform to bypass the security measures in Safari 12 that request users a dialog box to confirm the incorporation of a new meeting.

In an interview with The Verge after the original post of this post, Zoom's information security chief, Richard Farley, explained the thinking behind the face of the company today:

] Ultimately, it relies on feedback from people who have been following this and contributing to the discussion. Our original position was that installing this process [web server] to allow users to join the meeting without having to make these additional clicks, we believe that was the right decision. And it was [at] the request of some of our clients.

But we also recognize and respect the opinion of others who say they do not want to have an additional process installed on their local machine. That's why we made the decision to remove that component, even though it will require an additional click of Safari.

Although Farley maintains that the web server he had installed was "limited to its functionality" and it was Safe, the company chose to eliminate it. Another concern that has been floating is the possibility of including Zoom links within iframes within web pages. Farley says that Zoom will not block that functionality because many of its large business customers actually use iframes in their implementation of the Zoom software.

Zoom says he used the local web server to make his service faster and easier to use – In other words, it saves you a few mouse clicks. But the server also creates the rare but present possibility that a malicious website can activate your webcam using an iframe, avoiding the built-in Safari protections. In a version of Zoom with subsequent patches, this same vulnerability could also have been used to perform denial of service attacks on someone through continuous pings on that local web server.

This is the text of the Zoom update and instructions on how to install and / or remove the web server completely:

The patch planned for tonight (July 9) at 12:00 a.m. Pacific will do the following:

1. Delete the local web server completely, once the Zoom client has been updated: we are stopping the use of a local web server on Mac devices. Once the patch is implemented, Mac users will be requested in the user interface of Zoom (UI) to update your client. Once the update is complete, the local web server will be completely removed on that device.

2. Allow users to manually uninstall the Zoom: we are adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is installed, a new menu option will appear that says "Uninstall the zoom". By clicking on that button, the zoom will be completely removed from the user's device along with the user's saved settings.

After a media publication yesterday Leitschuh, who was the first to detail the vulnerability, Zoom said it would launch an update later this month that would allow users to save video call preferences so that webcams can stay turned off every time they join a new call. This worked by transferring your preferences to new calls, including those that could be masked spam links designed to click and accidentally activate your webcam.

That was not a sufficient solution for some critics, since Zoom was effectively omitting Apple's security only to be able to launch Zoom calls immediately and without the confirmation of a user. Initially, Zoom defended the web server as a "legitimate solution to a problem of poor user experience, allowing our users to have faster meetings with a single click," as Farley wrote in the original version of the company's blog post. .

Leitschuh originally made Zoom realize the problem in March and gave Zoom 90 days to respond. "Ultimately, he decided not to change the functionality of the application," Farley wrote. Then, Leitschuh went public, after refusing to join Zoom's bug-reward program for what Zoom describes as disagreements about its non-disclosure policy.

But according to Leitschuh, Zoom's CEO, Eric Yuan, made a "big splash" earlier today, apologizing for the response and why Zoom is approaching vulnerability, Wired reports. By the way, Yuan made that announcement to Leitschuh and other researchers on one of the Zoom test channels they had created to show their view on the severity of the vulnerability.

Farley argues that the relative security risk of The vulnerabilities that security researcher Jonathan Leitschuh revealed yesterday were not as serious as those that Leitschuh considered what were they. He also argued that Zoom acted quickly during the initial disclosure to resolve security issues that he agreed were problematic, in other words, the DDoS possibilities.

Moving forward, attention could move away from Zoom towards other pieces of software that install web server processes or other hidden "auxiliary" software. As Farley stated in the original defense of Zoom's practice, "We are not alone among videoconferencing providers in the implementation of this solution." As others have pointed out on Twitter, the practice extends far beyond video conferencing software.

We asked Farley if he had any ideas about what the next steps could be for the entire industry regarding the ethical and safe implementation of this type of background processes in computers. "That is a difficult question to answer in the middle of a public relations crisis," he says. "I'm not sure I'm ready to give peer advice yet, but maybe we can have a follow-up conversation later on that."

Update of July 9 at 5:52 p.m. 19659024] It was clarified that the Zoom update that removes the local web server for Mac users is now active.

Update July 9, 7:45 PM ET: Additional comments were added from the interview with Zoom's CISO.

Please Note: This content is provided and hosted by a 3rd party server. Sometimes these servers may include advertisements. igetintopc.com does not host or upload this material and is not responsible for the content.