Zoom makes a 180-degree turn and releases an emergency patch to address a vulnerability in its video conferencing software on Mac. Previously it was much lighter about that, but it met with a lot of criticism.
The vulnerability allows a website to turn on your webcam unsolicited, without any action on your part being required. That’s because Zoom on Macs installs a separate web server that handles requests in your place. This web server remains active even after you have removed Zoom and can reinstall the software on its own.
Zoom initially defended the functionality as a legitimate solution and workaround for a new security feature in Apple’s Safari browser. Among other things, this meant that users had to confirm at each meeting that they wanted to start Zoom.
Emergency patch
With the emergency patch released yesterday, the local web server is completely removed from your system.
Our original position was to install this process to allow users to participate in the meeting without having to perform additional clicks. We believe that was the right decision, says Richard Farley, chief information security officer at Zoom in a conversation with The Verge. But we also recognise and respect the opinions of others, who say they don’t want to install an additional process on their local computer.
Update] The July 9 patch to the Zoom app on Mac devices detailed earlier on our blog is now live. Details on the various fixes contained within it are explained, as well as how to update the Zoom software. See blog post here: https://t.co/56yDgoZf1U
Zoom (@zoom_us) July 9, 2019
Zoom used the local web server to save the user a few clicks in order to make his service faster and more user-friendly. Incidentally, it is not the only company that uses this approach. In this specific case, however, the server was in danger of a rogue website or advertising frame abusing the functionality to activate the webcam undesirably. That would not be possible after the update.
Iframes
The functionality for embedding Zoom links in an iframe is retained. Too many large enterprise customers use this functionality when implementing the software, please let Farley know to The Verge.
Farley still believes that the risk of the web server was less than the discoverer Jonathan Leitschuh claims. He also emphasizes that Zoom was quick to fix a related and, according to the company, problematic vulnerability, which allowed a DDoS attack on a victim to be carried out by repeatedly pinging the web server. This was patched in version 4.4.2 of the Zoom client.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.
14 hours ago
