Zoom released a patch this week to fix a security flaw in the Mac version of its desktop video chat application that could allow hackers to take control of a user’s webcam.
The vulnerability was discovered by security researcher Jonathan Leitschuh, who published information about it in a blog post on Months. The failure could affect 750,000 businesses and about 4 million people using Zoom, Leitschuh said.
The flaw involves a feature in the Zoom app that allows users to quickly join a video call with a single click, thanks to a unique URL link that immediately launches the user in a video conference. (The feature is designed to launch the app quickly and seamlessly for a better user experience.) Although Zoom gives users the option to keep the camera turned off before participating in a call, and users can turn off the camera later in the app settings, the default is to turn on the camera.
Leitschuh argued that this feature could be used for harmful purposes. By directing a user to a site that contains a quick link embedded and hidden in the site code, an attacker could launch the Zoom application in the process of starting the camera and / or microphone without the user’s permission. This is possible because Zoom also installs a web server when the desktop application is downloaded.
Once installed, the web server remains on the device, even after the Zoom application has been removed.
Following the publication of Leitschuh, Zoom downplayed concerns about the web server. On Tuesday, however, the company announced that it would issue an emergency patch to remove the web server from Mac devices.
«Initially, we did not see the web server or video posture as significant risks to our customers and, in fact, we considered them to be essential to our seamless merger process,» Richard CISO Zoom said in a statement. blog post . «But hearing the noise from some of our users and the security community over the past 24 hours, we decided to make updates to our service.»
Apple also released a «silent» update on Wednesday that ensures that the web server is removed from all Mac devices. according Techcrunch . This update would also help protect users who have removed the Zoom.
Business customer concerns
There were different levels of concern about the severity of the vulnerability. According Buzzfeed news , Leitschuh rated its severity at 8.5 out of 10; Zoom rated the defect at 3.1 after its own review.
Irwin Lazar, vice president and director of services at Nemertes Research, said the vulnerability itself should not be a major concern for companies, as users would quickly notice the Zoom application launched on the desktop.
«I don’t think that’s very significant,» he said. «The risk is that someone clicks on a link that claims to be in a meeting, then the Zoom client initiates it and connects it to the meeting.» If the video is enabled by default, the user will be seen until they realize that they accidentally joined a meeting. «They will notice that the Zoom client has been activated and they will immediately see that they have joined a meeting.
«In the worst case, I’m in front of the camera for a few seconds before leaving the meeting,» Lazar said.
Although the vulnerability itself is not known to have created problems, the time it takes for Zoom to respond to the problem is more worrying, said Daniel Newman, founding partner / senior analyst at Futurum Research.
«There are two ways to look at this,» Newman said. «Din [miércoles], depending on the patch that was released [el martes], the vulnerability is not so significant.
«However, what is significant for enterprise customers is how this issue has been unresolved for months, how the original patches could be reversed by recreating the vulnerability, and now we have to ask ourselves if this newer patch it will be a permanent solution. Newman said.
Leitschuh said he first warned Zoom of the vulnerability in late March, a few weeks before the company’s IPO in April, and was initially informed that Zoom’s security engineer was » out of the office. » A full solution was released only after the vulnerability was made public (although a solution was released earlier this week).
«Ultimately, Zoom failed to quickly confirm that the reported vulnerability actually existed and failed to find a solution to the problem delivered to customers in a timely manner,» he said. «An organization with this profile and such a large user base should have been more proactive in protecting users from attacks.»
In a statement on Wednesday, Zoom CEO Eric S Yuan said the company “misjudged the situation and did not respond quickly enough and that is up to us. We take full responsibility and we have learned a lot.
«What I can tell you is that we take the safety of users incredibly seriously and are fully committed to doing the right thing for our users.»
RingCentral, which uses Zoom technology to power its own video conferencing services, said it also addressed vulnerabilities in its application.
«We recently became aware of video vulnerabilities in the RingCentral Meetings software and took immediate action to mitigate these vulnerabilities for customers who may be affected,» a spokesman said.
«By [11 de julio], RingCentral does not know of any customers who have been affected or violated by the vulnerabilities discovered. The safety of our customers is of the utmost importance to us, and our security and engineering teams monitor the situation closely. «
Other suppliers, similar failures?
Similar vulnerabilities may be present in other video conferencing applications, as providers try to streamline the meeting process.
«I haven’t tried other suppliers, but I wouldn’t be surprised if they did [características similares]Said Lazarus. «Zoom competitors have tried to match their fast start times and video-first experience, and most people now allow the opportunity to quickly join a meeting by clicking on a link in the calendar.»
Computerworld is contacted other leading video conferencing software vendors, including BlueJeans, Cisco, and Microsoft, to ask if their desktop applications also require the installation of a web server such as Zoom’s.
BlueJeans says its desktop application, which also uses a launch service, cannot be activated by websites and malware pointed out in a blog post today that your application may be completely uninstalled, including removing the launch service.
«The BlueJeans meeting platform is not vulnerable to any of these issues,» said Alagu Periyannan, CTO and co-founder of the company.
BlueJeans users can join a video call through a web browser, which «takes advantage of the native browser’s permission flows» to join a meeting or through the desktop application.
«From the beginning, our launch service has been implemented with security as a priority,» Periyannan said in an email. «The launch service ensures that only authorized BlueJeans sites (for example, bluejeans.com) can launch the BlueJeans desktop application in a meeting. Unlike the problem you are referring to [Leitschuh], malicious websites cannot launch the BlueJeans desktop application.
«As an ongoing effort, we continue to evaluate improvements in browser-desktop interaction (including the discussion raised in CORS-RFC1918) to ensure that we provide the best possible solution for users,» said Periyannan. «Also, for customers who are not comfortable using the launch service, they can work with our support team to disable the desktop launcher.»
A Cisco spokesman said its Webex software «does not install or use a local web server and is not affected by this vulnerability.»
A Microsoft spokesman said the same thing, noting that he doesn’t even install a web server like Zoom.
Highlighting the shadow danger of IT
While the nature of the Zoom vulnerability has attracted attention, for large organizations the security risks are deeper than a software vulnerability, Newman said. «I think this is more of a SaaS and shadow IT issue than a video conferencing issue,» he said. «Of course, if some network equipment is not configured and secured properly, the vulnerabilities will be exposed. In some cases, even when properly configured, manufacturers’ software and firmware can create problems that lead to vulnerabilities. «
Zoom has enjoyed significant success since its inception in 2011, with a wide range of large enterprise customers, including Nasdaq, 21 St. Century Fox and Delta. This was largely due to the «viral» adoption of word of mouth among employees, rather than the top-down software implementations often required by IT departments.
This form of adoption, which has fueled the popularity of applications such as Slack, Dropbox and other large companies, can create challenges for IT teams who want strict control of the software used by staff, Newman said. When applications are not verified by IT, this leads to «higher levels of risk».
“Business applications must have a combination of use and security; this particular issue shows that Zoom has clearly focused more on the former than on the latter, «he said.
«That’s part of why I remain optimistic about Webex Teams and Microsoft Teams,» Newman said. «These applications tend to come through IT and are verified by the competent parties. In addition, these companies have a large group of security engineers who focus on application security. «
He noted Zoom’s initial response: that «his security engineer came out of the office» and could not respond for several days. «It is difficult to imagine that a similar response is tolerated in MSFT or [Cisco]».