Apple rolls out its own fix for Zoom zero-day
The exploit allowed websites to forcibly activate a user's webcam
Following backlash against Zoom's Mac vulnerability on Monday, Apple has rolled out a silent update that removes a web server that allowed websites to automatically launch a conference call and activate a user's webcam.
The move follows Zoom's own update to its client on Tuesday, which also removed the web server from Mac systems for those that chose to keep the software installed.
Apple's update serves those users who have, like a number of IT Pro writers, deleted Zoom from their systems following Monday's news.
Apple told TechCrunch that the update requires no user intervention and is deployed automatically. However, following our own testing, IT Pro can confirm that the vulnerability is still exploitable for those users who have yet to restart their system.
Despite both companies releasing updates for the issue, Tod Beardsley, research director at cybersecurity firm Rapid7 told IT Pro that the Zoom vulnerability was 'overblown'.
"I'm not entirely certain this is a bug in Zoom," he said. "For starters, there's a (non-default) configuration setting that seems to totally mitigate this issue: In the Mac OS client, go to zoom.us > Preferences > Video > "Turn off my video when joining meeting".
"Since this is already my personal default, I was confused as to why the original proof of concept wasn't working for me (I finally figured it out this morning)," he added. "At any rate, given the existence of this mitigation, the bug actually seems to be down in the browser, not the Zoom client, where CORS policies aren't enforced for localhost domains."
There is an issue with this criticism which lies in that the default setting in Zoom is to have automatic webcam enablement - it's a feature of the client most people appreciate as it makes joining a conference call more seamless.
When users click on a Zoom link, they expect to be thrown into a conference call, and it's therefore unlikely that users will take the time to change this default setting.
09/07/2019: Major zero-day privacy vulnerability found in Zoom for Mac
A serious zero-day vulnerability has been discovered in the hugely popular video conferencing and meetings application Zoom, which allows websites to forcibly activate a Mac user's camera without their intervention.
The vulnerability leverages a localhost web server that's installed alongside any Zoom installation and remains on a user's computer even after uninstalling the app. The web server also has the power to re-install Zoom on a user's system without their permission.
Jonathan Leitschuh, the researcher who discovered and provided proof of concept for the vulnerability said this web server will accept requests other browsers wouldn't.
The vulnerability exploits Zoom's feature where users can simply send others a customised link so they can join a conference call. When users have a setting enabled which allows Zoom to automatically activate a user's camera when joining a call, websites can abuse this custom link feature by inputting a Zoom conference link as an
"All a website would need to do is embed the above in their website and any Zoom user will be instantly connected with their video running," said Leitschuh. "This is still true today."
IT Pro can confirm the vulnerability is still active (Chrome on Mac OS) after testing the feature using one of Leitschuh's own proof of concept links listed in his disclosure report. It's a web link that will launch a new tab to a blank web page and, if the user has Zoom installed, will automatically launch them into a highly populated conference call with many people testing it just like us.
We can also confirm the install vulnerability works, even after deleting the application from a computer, joining any Zoom link will re-install the app without permission and with insidious speed.
"In my opinion, websites should not be talking to Desktop applications like this," said Leitschuh. "There is a fundamental sandbox that browsers are supposed to enforce to prevent malicious code from being executed on users machines."
There is a slight workaround to the automatic addition to a conference issue whereby users can simply uncheck a setting that allows Zoom to auto-launch a user's camera and audio when entering a meeting.
Leitschuh notified Zoom back in March 2019 and gave the company 90 days to fix the issue but has now gone public as the issue still persists.
Zoom published a response on Monday saying "to be clear, the host or any other participant cannot override a user's video and audio settings to, for example, turn their camera on."
"Because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately," said Richard Farley, Zoom CISO in the blog post. "Also of note, we have no indication that this has ever happened."
He went on to say that users will be given extra controls over their video settings as part of Zoom's upcoming July 2019 update which will save user's preferences as regards video permissions.