Video conferencing provider Zoom has pushed out an emergency patch to address the zero-day vulnerability for Mac users that could potentially expose a live webcam feed to an attacker, launching you into a Zoom video chat you’d never intended to launch. The move is a surprise reversal of Zoom’s previous stance, in which the company treated the vulnerability as “low risk” and defended its use of a local web server that incidentally exposed Zoom users to potential attacks.
The fix, detailed in the latest update to Zoom’s blog post on the vulnerability, will now “remove the local web server entirely, once the Zoom client has been updated,” to take away the ability for a malicious third party to automatically activate webcams using a Zoom link. The vulnerability arises from the fact that Zoom installs a local web server onto Mac computers that install its application, which allows the platform to bypass security measures in Safari 12 that prompt users with a dialogue box to confirm when joining a new meeting.
[Update] The July 9 patch to the Zoom app on Mac devices detailed earlier on our blog is now live. Details on the various fixes contained within it are explained, as well as how to update the Zoom software. See blog post here: https://t.co/56yDgoZf1U
— Zoom (@zoom_us) July 9, 2019
Zoom says it does this to make its service faster and easier to use — in other words, saving you a few mouse clicks. But the local web server also creates the rare but present possibility that a malicious website could activate your webcam by using an iFrame, getting around Safari’s built-in protections. In a since-patched version of Zoom, this same vulnerability could also have been used to conduct denial of service attacks on someone through continuous pings to that local web server.
Here’s the update text, and Zoom’s directions for how to install it and/or remove the web server entirely:
The patch planned for tonight (July 9) at or before 12:00 AM PT will do the following:
1. Remove the local web server entirely, once the Zoom client has been updated – We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device.
2. Allow users to manually uninstall Zoom – We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.
Following a Medium post yesterday from security researcher Jonathan Leitschuh that first detailed the vulnerability, Zoom said it would be pushing out an update later this month that would let users save video call preferences to make it so webcams can stay off whenever joining a new call. This worked by carrying over your preferences to new calls, including ones that could be masked spam links designed to get you to click and accidentally activate your webcam.
That was not a sufficient enough fix to some critics, as Zoom was still effectively bypassing Apple security just so it could launch Zoom calls right away and without confirmation from a user. Initially, Zoom defended the web server as a “legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings,” as Richard Farley, Zoom’s chief information security officer, wrote in the initial version of the company’s blog post.
I mean, the platform owner decides that web URLs shouldn’t open other apps without an approval click–a pretty sensible security measure. Your response as a company probably shouldn’t be, “let’s bypass this by invisibly installing a server that’s a potential security hole.”
— Jason Snell (@jsnell) July 9, 2019
Leitschuh had originally made Zoom aware of the issue back in March, and he gave Zoom 90 days to respond. It “ultimately decided not to change the application functionality,” Farley wrote. So Leitschuh went public, after declining to join Zoom’s bug bounty program for what Zoom describes as disagreements over its non-disclosure policy.
But now, according to Leitschuh, Zoom CEO Eric Yuan has made a “full about face,” apologizing for the response and for Zoom dragging its feet on addressing the vulnerability, Wired reports.
Incidentally, Yuan made this most recent announcement to Leitschuh and other researchers in one of the test Zoom channels they had created to prove their point about the seriousness of the vulnerability.
The conversation with the @zoom_us CEO in the ‘Party Chat’ was incredibly productive. It felt like an about face on their previous position on this #vulnerability. It’s really encouraging to see a CEO willing to jump into a call with a bunch of strangers to take responsibility.
— Jonathan Leitschuh (@JLLeitschuh) July 9, 2019
Update July 9th, 5:52PM ET: Clarified that Zoom’s update removing the local web server for Mac users is now live.