Your Mac could be hijacked through major security flaw in Zoom conferencing app

guest · Jul 9, 2019

Your Mac could be hijacked through major security flaw in Zoom conferencing app
A security flaw in Zoom's Mac app lets websites join you to video calls without your permission
July 8, 2019
https://www.cnet.com/news/your-mac-...major-security-flaw-in-zoom-conferencing-app/

On Monday, security researcher Jonathan Leitschuh gave Mac users another reason to fret over their webcams -- there's a security flaw in the Zoom video-conferencing app.

Zoom is most notable for its click-to-join feature, where clicking on a browser link takes you directly to a video meeting in Zoom's app. But Leitschuh in a Medium post explained that he months ago discovered Zoom achieves this in insecure ways, allowing websites to join you to a call as well as activating your webcam without your permission.

He adds that this would allow any webpage to denial-of-service a Mac by repeatedly joining you to an invalid call. Uninstalling the Zoom app from your Mac isn't enough to fix the problem, either. Zoom achieves its click-to-join function by installing a web server on your computer -- which can reinstall Zoom without your permission.
If you have the Zoom app installed on your Mac, Leitschuh lists directions to neutralize the local server in his Medium post.
Click to expand...

guest · Jul 9, 2019

Zoom will remove server behind Mac webcam security hole
A patch will address the potential for snooping and flooding attacks
July 9, 2019
https://www.engadget.com/2019/07/09/zoom-will-remove-server-behind-mac-security-hole/

Zoom is acting quickly on the security flaw that let intruders hijack Mac users' webcams. The video conferencing firm is releasing a patch on July 9th (that's today, if you're reading in time) that removes access to the local web server behind the vulnerability. It'll also let you manually uninstall Zoom and remove all traces of the app so that there's no chance of an exploit later on.
Another update, due for the weekend of July 12th, will also ensure that rookies who choose "always turn off my video" will automatically have their preferences honored in those situations where a meeting host would normally require that video switches on.

The company had previously defended its earlier decisions. The web server only responded to requests from the local computer, Zoom said. It argued that this was more convenient than having to confirm launching the Zoom client every time you wanted to get into a meeting.
Researcher Jonathan Leitschuh, who discovered the flaw, noted that Zoom's newfound willingness to patch out the web service represented an "about face" -- it went from rationalizing its existing strategy to planning a fix in a matter of hours.
Click to expand...

Zoom: Response to Video-On Concern

guest · Jul 10, 2019

Apple rolls out silent update to remove Zoom web server from Macs
Apple took a proactive approach to protect Mac users
July 10, 2019
https://www.imore.com/apple-rolls-out-silent-update-remove-zoom-web-server-macs

Apple has rolled out a silent update for Mac users that removes the Zoom web server that allowed malicious websites to access the camera without permission. Apple confirmed the update in a statement to TechCrunch.

The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users' Macs when they installed the app.
Apple said the update does not require any user interaction and is deployed automatically.

The automatic Mac update is Apple's response to the Zoom debacle that has unfolded over the past few days. When users downloaded the Zoom app, it covertly installed a web server that turned out to be vulnerable to malicious web sites which could in turn access the Mac's camera.
Click to expand...

guest · Jul 16, 2019

Apple pushes second silent macOS update as it battles Zoom webcam hijack vulnerability
July 16, 2019
https://9to5mac.com/2019/07/16/ringcentral-and-zhumu-macos-update/

When the Zoom vulnerability was first discovered last week, Apple pushed a silent macOS update to remove the web server. Now, The Verge reports that Apple has deployed another silent security update to remove web servers installed by RingCentral and Zhumu. Like the update pushed last week, this one does not require any user interaction to install.

Earlier today, we explained that because RingCentral and Zhumu use the same underlying code as Zoom, they also installed their own web server in macOS.
Unfortunately, RingCentral and Zhumu aren’t the only video conferencing apps that use Zoom’s code. Apple says that it hopes to patch the vulnerability for all of Zoom’s partner apps in the coming days.
Click to expand...

Log in or Sign up

Your Mac could be hijacked through major security flaw in Zoom conferencing app

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Your Mac could be hijacked through major security flaw in Zoom conferencing app

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches