Video conferencing provider Zoom is pushing out an emergency patch later today to address the zero-day vulnerability for Mac users that could potentially expose a live webcam feed to an attacker. The move is a surprise reversal of Zoom’s previous stance, in which the company treated the vulnerability as “low risk” and defended its use of a local web server that incidentally exposed Zoom users to potential attacks.
The fix, detailed in the latest update to Zoom’s blog post on the vulnerability, will now “remove the local web server entirely, once the Zoom client has been updated,” to take away the ability for a malicious third party to automatically activate webcams using a Zoom link. The vulnerability arises from the fact that Zoom installs a local web server onto Mac computers that install its application, which allows the platform to bypass security measures in Safari 12 that prompt users with a dialogue box to confirm when joining a new meeting.
Zoom says it does this to make its service faster and easier to use — in other words, saving you a few mouse clicks. But the local web server also creates the rare but present possibility that a malicious website could activate your webcam by using an iFrame, getting around Safari’s built-in protections. In a since-patched version of Zoom, this same vulnerability could also have been used to conduct denial of service attacks on someone through continuous pings to that local web server.
Here’s the update text, and Zoom’s directions for how to install it and/or remove the web server entirely:
The patch planned for tonight (July 9) at or before 12:00 AM PT will do the following:
1. Remove the local web server entirely, once the Zoom client has been updated – We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device.
2. Allow users to manually uninstall Zoom – We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.
Following a Medium post yesterday from security researcher Jonathan Leitschuhthat first detailed the vulnerability, Zoom said it would be pushing out an update later this month that would let users save video call preferences to make it so webcams can stay off whenever joining a new call. This worked by carrying over your preferences to new calls, including ones that could be masked spam links designed to get you to click and accidentally activate your webcam.
That was not a sufficient enough fix to some critics, as Zoom was still effectively bypassing Apple security just so it could launch Zoom calls right away and without confirmation from a user. Initially, Zoom defended the web server as a “legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings,” as Richard Farley, Zoom’s chief information security officer, wrote in the initial version of the company’s blog post.
Leitschuh had originally made Zoom aware of the issue back in March, and he gave Zoom 90 days to respond. It “ultimately decided not to change the application functionality,” Farley wrote. So Leitschuh went public, after declining to join Zoom’s bug bounty program for what Zoom describes as disagreements over its non-disclosure policy.
But now, according to Leitschuh, Zoom CEO Eric Yuan has made a “full about face,” apologizing for the response and for Zoom dragging its feet on addressing the vulnerability, Wired reports.
The negative press appears to have put extra pressure on Zoom to act, especially after the company’s earlier response only promised to let you manually adjust settings with an update scheduled for later this month. Incidentally, Yuan made this most recent announcement to Leitschuh and other researchers in one of the test Zoom channels he had created to prove his point about the seriousness of the vulnerability.