Zoom Fixes Vulnerability After Saying That It Wouldn’t Fix It…. But This Isn’t Over Yet

Yesterday I wrote about a pretty bad vulnerability with the Zoom videoconferencing product where a malicious web page could be used to take control of the video camera on a Mac. On top of that it was also discovered that when you install Zoom on a Mac, it installs a web server without your knowledge, and said web server can reinstall Zoom if you get rid of it without user interaction.

Now all of this was pretty bad. But the response by Zoom initially was worse via this ZDNet article:

Video conferencing company Zoom has defended its use of a local web server on Macs as a “workaround” to changes that were introduced in Safari 12.

The company said in a statement that it felt running a local server in the background was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator”.

Well, I guess the blowback from that was epic because by that evening, Zoom had pushed out an emergency update that did the following:

  • The local web server will be completely removed on that device once the update is completed.
  • Zoom is adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server.

Seeing as they took such quick action, the cynic in me says that they could have addressed this at any time but chose not to until this blew up. This is further bolstered via this statement from the company’s blog:

We appreciate the hard work of the security researcher in identifying security concerns on our platform. Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service. In response to these concerns, here are details surrounding tonight’s planned Zoom patch and our scheduled July release this weekend:

Just for fun, look this blog entry and see how haphazard the company’s response is. It looks like a really really bad exercise in crisis management. Also, based on how the company responded, you have to wonder if Zoom should be the company that provides your organization video conferencing services.

In any case, the fun isn’t over yet. In an update to his original Medium post, Jonathan Leitschuh who is the guy that discovered this flaw is now sayingthat the vulnerability that plagued Zoom for Mac is also present in Ringcentral which is basically a white labeled version of Zoom. Thus if you run Ringcentral, consider yourself warned that this vulnerability exists with that product as well.

4 Responses to “Zoom Fixes Vulnerability After Saying That It Wouldn’t Fix It…. But This Isn’t Over Yet”

  1. […] guess that Apple felt that the security risks posed by the Zoom video conferencing software and the response by Zoom to fix the issue was too great to ignore as TechCrunch is reporting that Apple has pushed a silent update to remove […]

  2. […] who have had a couple of issues this week that made the news, which did get fixed by Zoom and Apple, now may be having their competitors throw some shade on them. Case in point is GoTo […]

  3. […] from Zoom and were also found to have the same vulnerabilities that Zoom has. You might recall that I only mentioned one of them previously. So the existence of another white labeled version of the Zoom software is not […]

  4. […] that got caught with a serious flaw that enabled video calls with zero interaction on the Mac, which they sort of fixed. But it wasn’t good enough for Apple as the lack of a fix that they liked forced them to get […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: