Video conferencing provider Zoom has pushed out an emergency patch to address the zero-day vulnerability for Mac users that could potentially expose a live webcam feed to an attacker, launching you into a Zoom video chat you’d never intended to launch. The move is a surprise reversal of Zoom’s previous stance, in which the company treated the vulnerability as “low risk” and defended its use of a local web server that incidentally exposed Zoom users to potential attacks.
The fix, detailed in the latest update to Zoom’s blog post on the vulnerability, will now “remove the local web server entirely, once the Zoom client has been updated,” to take away the ability for a malicious third party to automatically activate webcams using a Zoom link. The vulnerability arises from the fact that Zoom installs a local web server onto Mac computers that install its application, which allows the platform to bypass security measures in Safari 12 that prompt users with a dialogue box to confirm the joining of a new meeting.
In an interview with The Verge after this post was originally published, Zoom’s chief information security officer, Richard Farley, explained the thinking behind the company’s about face today:
Ultimately, it’s based on based on the feedback of the people that have been following this and contributing to the discussion. Our original position was that installing this [web server] process in order to enable users to join the meeting without having to do these extra clicks — we believe that was the right decision. And it was [at] the request of some of our customers.
But we also recognize and respect the view of others that say they don’t want to have an extra process installed on their local machine. So that’s why we made the decision to remove that component — despite the fact that it’s going to require an extra click from Safari.
Although Farley maintains that the web server it had installed was “stripped down to its bare functionality” and was secure, the company chose to remove it. A further concern that has been floating around is the ability to include Zoom links inside iframes inside web pages — Farley says Zoom won’t block that functionality because too many of its large enterprise customers actually use iframes in their implementation of Zoom’s software.
Zoom says it used the local web server to make its service faster and easier to use — in other words, saving you a few mouse clicks. But the server also creates the rare but present possibility that a malicious website could activate your webcam by using an iframe, getting around Safari’s built-in protections. In a since-patched version of Zoom, this same vulnerability could also have been used to conduct denial of service attacks on someone through continuous pings to that local web server.
Here’s the update text, and Zoom’s directions for how to install it and/or remove the web server entirely:
The patch planned for tonight (July 9) at or before 12:00 AM PT will do the following:
1. Remove the local web server entirely, once the Zoom client has been updated – We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device.
2. Allow users to manually uninstall Zoom – We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.
Following a Medium post yesterday from Leitschuh that first detailed the vulnerability, Zoom said it would be pushing out an update later this month that would let users save video call preferences to make it so webcams can stay off whenever joining a new call. This worked by carrying over your preferences to new calls, including ones that could be masked spam links designed to get you to click and accidentally activate your webcam.
That was not a sufficient enough fix to some critics, as Zoom was still effectively bypassing Apple security just so it could launch Zoom calls right away and without confirmation from a user. Initially, Zoom defended the web server as a “legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings,” as Farley wrote in the original version of the company’s blog post.
Leitschuh had originally made Zoom aware of the issue back in March, and he gave Zoom 90 days to respond. It “ultimately decided not to change the application functionality,” Farley wrote. So Leitschuh went public, after declining to join Zoom’s bug bounty program for what Zoom describes as disagreements over its non-disclosure policy.
But according to Leitschuh, Zoom CEO Eric Yuan made a “full about face” earlier today, apologizing for the response and for Zoom dragging its feet on addressing the vulnerability, Wired reports. Incidentally, Yuan made that announcement to Leitschuh and other researchers in one of the test Zoom channels they had created to prove their point about the seriousness of the vulnerability.
Farley maintains that the relative security risk of the vulnerabilities that security researcher Jonathan Leitschuh disclosed yesterday were not as severe as Leitschuh made them out to be. He also argued that Zoom acted quickly during the initial disclosure to resolve the security issues it agreed were problematic, in other words the DDoS possibilities.
Moving forward, attention could move away from Zoom to other pieces of software that install web server processes or other hidden “helper” software. As Farley stated in Zoom’s original defense of the practice, “We are not alone among video conferencing providers in implementing this solution.” As others have noted on Twitter, the practice extends well beyond video conference software, as well.
We asked Farley if he had any thoughts as to what the next steps for the entire industry might be with regard to ethically and securely implementing these kinds of background processes on computers. “That’s a tough question to answer in the middle of a PR crisis,” he says. “I’m not sure that I’m ready to be providing advice to to the peers just yet, but maybe we can have a follow up conversation later on on that.”
Update July 9th, 5:52PM ET: Clarified that Zoom’s update removing the local web server for Mac users is now live.
Update July 9th, 7:45PM ET: Added additional comments from interview with Zoom’s CISO.