PSA: Mac users should update Zoom - Vulnerability allows malicious websites to enable your camera

ryanschristmaslights

Senior elf
Administrator
Joined
Jun 30, 2010
Messages
714
Location
Adelaide, Australia
On July 9 2019, a security patch to address a vulnerability in the Zoom app on Mac devices has been released. Instructions for obtaining the patch are to either:
  • Download it at zoom.us/download.
  • Check for updates by opening your Zoom app window, clicking zoom.us in the top left corner of your screen, and then clicking Check for Updates.

In short, Mac versions of Zoom install a local web server (as a background process) in addition to the primary application. It appears that this web server runs even when the Zoom application is closed and, according to details at the URL below, this background process makes it possible to forcibly have you join a meeting upon visiting a malicious or infected webpage. This vulnerability appears to apply to Mac devices even if you uninstalled Zoom previously, as the background process is not removed and apparently will silently re-install Zoom on your machine when a meeting URL is clicked (or maliciously loaded in an iframe).

Zoom meetings can (unless this has been fixed by Zoom) be configured to automatically turn on participants' webcams when joining a meeting. Theoretically this could mean that someone could activate your webcam via the vulnerability that the security patch is supposed to address.

Some of this wording is my own interpretation and may not be 100% correct. If you have ever installed Zoom on a Mac then you may like to read the original details at the URL below.

Details:

View: https://twitter.com/zoom_us/status/1148710712241295361


View: https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
 
Top