Zoom


'Zoom' Articles

Apple Pushes Another Automatic Mac Software Update to Address Further Zoom-Related Vulnerabilities

Apple today pushed a second silent security update to Macs to address further vulnerabilities related to the Zoom video conferencing app for macOS, reports The Verge. Apple removed software that was installed by RingCentral and Zhumu, two video conferencing apps that relied on technology from Zoom and were also found to have the same vulnerabilities as Zoom earlier this week. These two apps installed software able to respond to commands that could potentially allow websites to open up your webcam during a video conference without permission. Removing the apps did not remove the secondary software that was vulnerable to exploitation, which is also how Zoom worked. Discovered last week, the Zoom vulnerability let a website forcibly initiate a video call on a Mac with the Zoom app installed, due to a web server that Zoom installed in the background. When the vulnerability was first discovered, Zoom said that it used a local web server as a workaround to Safari changes that Apple introduced in Safari 12, calling it a "legitimate solution" to an otherwise "poor user experience" that allowed users to access "seamless, one-click-to-join meetings." At issue was a new popup Apple implemented to require user approval when launching a third-party app, which Zoom wanted to avoid. Zoom did so through the aforementioned web server, which was designed to wait for calls to open up Zoom conferences automatically. Zoom eventually released a patch to address the issue, and Apple also took the step of removing web server software that was not initially removed from the Mac

Apple Pushes Automatic Mac Software Update to Remove Vulnerable Zoom Web Server

Earlier this week, a serious vulnerability with the Zoom video conferencing app for macOS was disclosed, with attackers potentially able to hijack users' webcams. The vulnerability was particularly notable because Zoom had installed a hidden web server on users' computers in order to allow for automatic answering of incoming calls, and that web server was not only the weak point that could be exploited, but it also was not removed upon deletion of the app. As a result, users who had previously deleted Zoom might not even realize they were vulnerable to this potential attack. After initially defending the decision to install a web server on users' machines to work around changes in Safari 12 that would have required users to click to accept incoming calls, Zoom later backtracked and released a patch to remove the web server from users' computers. Apple has now taken things one step further and pushed out a silent macOS update that removes the web server, reports TechCrunch. The update is deployed automatically, so users don't have to manually apply it in order for it to take effect.Although Zoom released a fixed app version on Tuesday, Apple said its actions will protect users both past and present from the undocumented web server vulnerability without affecting or hindering the functionality of the Zoom app itself. The update will now prompt users if they want to open the app, whereas before it would open automatically.Zoom told TechCrunch it was "happy to have worked with Apple on testing this update" and that it should resolve all issues with the web

Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]

A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh. In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed. The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability. In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app. Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app. While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting. Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page. Helpfully, the bottom