Apple steps in to automatically remove Zoom’s risky software from Macs

Pedestrians use crosswalk in large metropolis

Information of the exploit first came via security researcher Jonathan Leitschuh, who revealed a detailed Medium post demonstrating how Zoom's insecure implementation of a function known as "click on-to-be a part of", which allows accessible video meetings, could be used to connect Mac customers to a chat room and activate their webcams without their data by embedding some code in a web site.

This vulnerability comes from the Zoom feature which allows you to send anyone a meeting link and when they open that link in their browser their Zoom client open automatically on their local machine. In a move that Daring Fireball's John Gruber justifiably describes as "criminal", it seems that Zoom leaves risky pieces of itself behind, in the form of a local web server, even after a user would have every reason to believe they've uninstalled it. But it eventually walked back and released an emergency patch to remove the local web server completely. "This re-install "feature" continues to work to this day".

In a blog post Tuesday, Zoom said it planned to disable the web server feature, which was originally created to make it easier for users to join meetings without extra clicks.

"It took Zoom 10 days to confirm the vulnerability", wrote Leitschuh.

The undocumented server remained installed on users' devices even after Zoom was uninstalled, allowing the app to be re-installed again without their knowledge.

Zoom developers explained that the local server needs to store information about settings.

Prior to the update, Eoin Keary, CEO and co-founder of edgescan, told MailOnline: 'A vulnerability in any software is unsurprising and can be fixed with a patch prior to disclosure if the vendor addresses the issue in a timely manner.

This gave attackers the opportunity to put malicious code on websites that connect to the hidden web server (e.g. the Outlook web app).

"What's unfortunate, invasive and a violation of trust is when the software seems ' uninstalled' but really isn't", he added. The fix protects users against the threat of unapproved webcam access. It's underhanded and breaches trust boundaries.

Related:

Comments

Latest news

California earthquakes: First death apparently linked to California earthquakes reported
The shaking cracked walls in a chapel and school and brought down commissary shelves, Allen said. It's unclear when personnel and their families will be able to return.

Baker confuses request for 'Moana' birthday cake with 'marijuana'
Kensli Davis and representatives from Dairy Queen did not immediately respond to Yahoo Lifestyle's requests for comment. Instead of a Disney princess, Davis got a big pot leaf and a My Little Pony smoking a joint on her 25th birthday cake .

Asian stocks set for mixed trading ahead of Powell
That in turn has helped the dollar index against a basket of currencies rebound to 97.500 from a June low of 95.843. Elsewhere, West Texas intermediate crude gained following a report that Russian output declined.

New Zealand into Cricket World Cup final despite Jadeja’s heroics for India
India were reduced to 24 for 4 in chase of 240, but Ravindra Jadeja and MS Dhoni put up a fight in a thrilling finish. This came after Manjrekar called Jadeja a "bits and pieces" player.

Borderlands 3 to Feature a Ping System ala Apex Legends
There are also some other accessibility features planned for the game that should make it easier for far more people to play. Borderlands 3 will also feature a "full suite of accessibility options ", which will allow players to play any way they want.

Other news