Archive for Zoom

GoTo Sends Its Customers A Note On Video Conference Security….. To Throw Some Shade On Zoom Perhaps?

Posted in Commentary with tags , on July 11, 2019 by itnerd

Zoom who have had a couple of issues this week that made the news, which did get fixed by Zoom and Apple, now may be having their competitors throw some shade on them. Case in point is GoTo which own GoToMeeting, GoToWebinar among other products. I was tipped off by a reader that they got an email that takes you to this blog entry which details why their security is better than Zoom’s security:

To be perfectly clear, LogMeIn and our meeting products, including GoToMeeting, GoToWebinar, GoToTraining, GoToConnect and join.me, do not have this security design flaw. This flaw is not, and has never been, part of our products.

However, it is helpful to understand the report itself and why the approach has caused such concern. The root of the issue is a web server which is installed as part of Zoom’s native Mac client to allow it to launch the Zoom app from a web page, bypassing the operating system’s security controls. By bypassing normal browser-based security, this web server can be used to activate/trigger the user’s camera (and potentially execute other harmful code on the user’s machine). Worse, when the client is uninstalled, this active webserver is left behind on the machine.

LogMeIn also delivers simple meeting launching from a web browser, but does it in a much more secure way, using URI handlers. As Jonathan writes in his report: “Alternative methodologies like registering custom URI handlers (for example, a xxxx:// URI handler) with the browsers is a more secure solution. When these URI handlers are triggered, the browser explicitly prompts the user for confirmation about opening the app.”This is exactly how we handle our launch of an already installed LogMeIn application such as GoToMeeting and our other collaboration products.

This security posture avoids bypassing operating system or browser security controls. We take a similar stance towards privacy with things like video (we do not enable video by default) and always offering clean uninstalls.

Additionally, we offer the web clients for our products that can be used in scenarios where downloading an application is not an option or is security restricted.

So. I’ll ask the question. Is this informational to reassure customers that GoTo products are secure? Or is this meant to throw a bit of shade on Zoom? Or perhaps both? I guess it depends on your perspective. But I do expect that others who are in the video conferencing game to join in on the fun and perhaps do the same thing that GoTo is doing in some form.

Advertisements

Apple Takes Action To Remove That Zoom Web Server Which Has Been Shown To Be A Security Risk

Posted in Commentary with tags , on July 11, 2019 by itnerd

I guess that Apple felt that the security risks posed by the Zoom video conferencing software and the response by Zoom to fix the issue was too great to ignore as TechCrunch is reporting that Apple has pushed a silent update to remove the Zoom web server that is at the center of this controversy. As in the one that was installed by Zoom without user consent and seems to do some sketchy things.

So you might be wondering how Apple did that. macOS has a feature called XProtect which is part of Apple’s Gatekeeper security suite that is built into macOS. It allows Apple to silently (as in no user interaction is required) deal with malware by pushing updates to any Mac that is online. These updates can quarantine or kill malware. Now to be clear, this isn’t a true antivirus product and you still need to run one despite what the Mac fanboys might say. But this is a good way for Apple to provide “herd immunity” for Mac users.

So the net result is that if you are a Mac based Zoom user and whether you ran the Zoom update or not, you’re protected from this threat. That’s great for Mac users. But given all that has transpired over the last few days, you have to question if you should be using Zoom at all.

Zoom Fixes Vulnerability After Saying That It Wouldn’t Fix It…. But This Isn’t Over Yet

Posted in Commentary with tags , on July 10, 2019 by itnerd

Yesterday I wrote about a pretty bad vulnerability with the Zoom videoconferencing product where a malicious web page could be used to take control of the video camera on a Mac. On top of that it was also discovered that when you install Zoom on a Mac, it installs a web server without your knowledge, and said web server can reinstall Zoom if you get rid of it without user interaction.

Now all of this was pretty bad. But the response by Zoom initially was worse via this ZDNet article:

Video conferencing company Zoom has defended its use of a local web server on Macs as a “workaround” to changes that were introduced in Safari 12.

The company said in a statement that it felt running a local server in the background was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator”.

Well, I guess the blowback from that was epic because by that evening, Zoom had pushed out an emergency update that did the following:

  • The local web server will be completely removed on that device once the update is completed.
  • Zoom is adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server.

Seeing as they took such quick action, the cynic in me says that they could have addressed this at any time but chose not to until this blew up. This is further bolstered via this statement from the company’s blog:

We appreciate the hard work of the security researcher in identifying security concerns on our platform. Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service. In response to these concerns, here are details surrounding tonight’s planned Zoom patch and our scheduled July release this weekend:

Just for fun, look this blog entry and see how haphazard the company’s response is. It looks like a really really bad exercise in crisis management. Also, based on how the company responded, you have to wonder if Zoom should be the company that provides your organization video conferencing services.

In any case, the fun isn’t over yet. In an update to his original Medium post, Jonathan Leitschuh who is the guy that discovered this flaw is now sayingthat the vulnerability that plagued Zoom for Mac is also present in Ringcentral which is basically a white labeled version of Zoom. Thus if you run Ringcentral, consider yourself warned that this vulnerability exists with that product as well.

Zoom Has A Serious Vulnerability That Can Trigger Video Calls With Almost Zero User Interaction

Posted in Commentary with tags , on July 9, 2019 by itnerd

Security researcher Jonathan Leitschuh has discovered a serious vulnerability with the highly popular Zoom Video Conferencing service. In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed. Which of course is not good. There was another issue that he discovered that allowed any web page to do a denial of service attack on the Mac. But that was patched leaving the original vulnerability in play. Leitschuh disclosed the problem to Zoom in late March and gave the company 90 days to fix the issue. But it wasn’t fixed and thus he’s going public.

But there’s more to this story. When you install Zoom on a Mac, it installs a localhost web server as a background process. The purpose of this web server is to accept requests regular browsers wouldn’t. Such as whatever Zoom needs to do to facilitate video conferencing. What gets my attention is that this service can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page. Which is very sketchy in my mind. That means that uninstalling Zoom won’t solve this issue. And it also sounds kind of malware like. 

Now you can mitigate this attack vector by disabling the setting that allows Zoom to turn on your Mac’s camera when joining a meeting. But the real fix is to uninstall everything related to Zoom and not use it at all. The  bottom of the Medium post includes a series of Macintosh Terminal commands that will uninstall the web server completely. I would strongly suggest that you go that route as that’s the best way to protect yourself.

Now what does Zoom have to say about this? Well in this ZDNet article, they had this to say:

Video conferencing company Zoom has defended its use of a local web server on Macs as a “workaround” to changes that were introduced in Safari 12.

The company said in a statement that it felt running a local server in the background was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator”.

That to be blunt is total crap. They should be completely aware that now that this is public, there will be attacks inbound using this vulnerability. On top of that, the bad press from this is guaranteed to drive customers away from using their service. I’ve already had a few inquiries from clients of mine and my advice is simple. Don’t use Zoom for videoconferencing purposes until they can demonstrate that it is secure and they don’t need to do the sorts of things that they were caught doing so that their users can have a “seamless” experience.

UPDATE: In a blog post, Zoom says that there is no indication this vulnerability was ever taken advantage of because if a person did click on a malicious link, it would be readily apparent that a video call started (and thus their webcam was hijacked) because the Zoom client user interface runs in the foreground upon launch. Which may be true but isn’t the point anymore. The point is that they reacted poorly to this issue. Having said that, the company did say a fix was inbound. I’d love to know if that fix addresses all the issues that I raised in this article. Because if it doesn’t, I’ll continue to recommend that you avoid Zoom because of the potential risk that it poses.