Apple rolls out its own fix for Zoom zero-day

The exploit allowed websites to forcibly activate a user's webcam

Following backlash against Zoom's Mac vulnerability on Monday, Apple has rolled out a silent update that removes a web server that allowed websites to automatically launch a conference call and activate a user's webcam.

The move follows Zoom's own update to its client on Tuesday, which also removed the web server from Mac systems for those that chose to keep the software installed.

Apple's update serves those users who have, like a number of IT Pro writers, deleted Zoom from their systems following Monday's news.

Apple told TechCrunch that the update requires no user intervention and is deployed automatically. However, following our own testing, IT Pro can confirm that the vulnerability is still exploitable for those users who have yet to restart their system.

Despite both companies releasing updates for the issue, Tod Beardsley, research director at cybersecurity firm Rapid7 told IT Pro that the Zoom vulnerability was 'overblown'.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"I'm not entirely certain this is a bug in Zoom," he said. "For starters, there's a (non-default) configuration setting that seems to totally mitigate this issue: In the Mac OS client, go to zoom.us > Preferences > Video > "Turn off my video when joining meeting".

"Since this is already my personal default, I was confused as to why the original proof of concept wasn't working for me (I finally figured it out this morning)," he added. "At any rate, given the existence of this mitigation, the bug actually seems to be down in the browser, not the Zoom client, where CORS policies aren't enforced for localhost domains."

There is an issue with this criticism which lies in that the default setting in Zoom is to have automatic webcam enablement - it's a feature of the client most people appreciate as it makes joining a conference call more seamless.

When users click on a Zoom link, they expect to be thrown into a conference call, and it's therefore unlikely that users will take the time to change this default setting.

09/07/2019: Major zero-day privacy vulnerability found in Zoom for Mac

A serious zero-day vulnerability has been discovered in the hugely popular video conferencing and meetings application Zoom, which allows websites to forcibly activate a Mac user's camera without their intervention.

Advertisement - Article continues below

The vulnerability leverages a localhost web server that's installed alongside any Zoom installation and remains on a user's computer even after uninstalling the app. The web server also has the power to re-install Zoom on a user's system without their permission.

Jonathan Leitschuh, the researcher who discovered and provided proof of concept for the vulnerability said this web server will accept requests other browsers wouldn't.

The vulnerability exploits Zoom's feature where users can simply send others a customised link so they can join a conference call. When users have a setting enabled which allows Zoom to automatically activate a user's camera when joining a call, websites can abuse this custom link feature by inputting a Zoom conference link as an

"All a website would need to do is embed the above in their website and any Zoom user will be instantly connected with their video running," said Leitschuh. "This is still true today."

"This could be embedded in malicious ads, or it could be used as a part of a phishing campaign," he added. "If I were actually an attacker, I'd probably invest some time to also include the incrementing port logic that the code in the Javascript running on Zoom's site."

Advertisement
Advertisement - Article continues below

IT Pro can confirm the vulnerability is still active (Chrome on Mac OS) after testing the feature using one of Leitschuh's own proof of concept links listed in his disclosure report. It's a web link that will launch a new tab to a blank web page and, if the user has Zoom installed, will automatically launch them into a highly populated conference call with many people testing it just like us.

Advertisement - Article continues below

We can also confirm the install vulnerability works, even after deleting the application from a computer, joining any Zoom link will re-install the app without permission and with insidious speed.

"In my opinion, websites should not be talking to Desktop applications like this," said Leitschuh. "There is a fundamental sandbox that browsers are supposed to enforce to prevent malicious code from being executed on users machines."

There is a slight workaround to the automatic addition to a conference issue whereby users can simply uncheck a setting that allows Zoom to auto-launch a user's camera and audio when entering a meeting.

Leitschuh notified Zoom back in March 2019 and gave the company 90 days to fix the issue but has now gone public as the issue still persists.

Zoom published a response on Monday saying "to be clear, the host or any other participant cannot override a user's video and audio settings to, for example, turn their camera on."

"Because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately," said Richard Farley, Zoom CISO in the blog post. "Also of note, we have no indication that this has ever happened."

Advertisement - Article continues below

He went on to say that users will be given extra controls over their video settings as part of Zoom's upcoming July 2019 update which will save user's preferences as regards video permissions.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/data-insights/big-data/354311/google-reveals-uks-most-searched-for-terms-in-2019
big data

Google reveals UK’s most searched for terms in 2019

11 Dec 2019