Zoom has released a patch this week to fix a security error in the Mac version of its desktop video chat, which allows hackers to take control of the user's webcam.
The vulnerability was discovered by security researcher Jonathan Leitchuk, who published information about him on a blog on Monday. The problem has potentially affected 750,000 companies and about 4 million people who use Zoom, said Leichuk.
Zoom says that no signs were found on it. But concerns about the shortcomings and how it works has raised the question of whether other similar programs can be equally vulnerable.
The shortage is associated with the Zoom feature, which allows users to quickly join a video call with one click, thanks to the unique URL link that instantly launches the user to a video meeting. (This feature is designed to quickly and easily launch the program for better use.) Although Zoom allows users to turn off the camera before joining the call – and users can later turn off the camera in the program settings – by default, to turn on the camera.
Lechuch argued that this function could be used for degrading purposes. By pointing the user to a site that contains a link for quick attachment, embedded and hidden in the site code, the Scale application may be launched by an attacker when switching a camera and / or microphone without the user's permission. This is possible because scaling is also installed by the web server when the desktop application is downloaded.
Once installed, the web server stays on the device – even after removing the Zoom application.
After publishing the Leitschuh publication, Zoom has reduced concerns about the web server. On Tuesday, however, the company announced it would issue an emergency patch to remove the web server from Mac devices.
"At first, we did not see a web server or video position as a significant risk to our customers and, in fact, felt they were necessary for our uninterrupted accession process," said Richard Farley, a Zoom CISO blog poster. "But, hearing the protest of some users and the community of security over the past 24 hours, we have decided to make updates to our service."
Apple also released a "quiet" update on Wednesday, which removes the web server on all Mac devices, according to Techcrunch. This update will also help protect users who have removed the scaling.
Clients of enterprises
There were different levels of concern about the severity of this vulnerability. According to Buzzfeed NewsLechuch graded his severity by 8.5 out of 10; Increase the gap score of 3.1 after its own review.
Irvine Lazar, vice president and director of service at Nemertes Research, said that this vulnerability itself should not be a major cause of concern for businesses since users will quickly notice that the Zoom application is running on the desktop.
"I do not think it's very important," he said. "The risk lies in the fact that someone clicks on the link that pretends to a meeting, after which the Zoom client is launched and connects them to the meeting." accidentally joined the meeting. – They will notice activation of the Zoom client, and they will immediately see that they were joined to the meeting.
"In the worst case, they are on the camera for a few seconds before they leave the meeting," Lazar said.
Despite the fact that the vulnerability itself has not created problems, Zoom's time spent responding to this problem is more worrying, says Daniel Newman, a founding partner / chief analyst at Futurum Research.
"There are two ways to look at this," Newman said. "How about [Wednesday]based on a patched patch [Tuesday]The vulnerability is not so significant.
"However, for corporate clients, it's important how this problem was taken out for several months without permission, as the initial patches could be rejected, once again creating a vulnerability, and now we have to ask if this new patch is going to be a permanent solution," Newman said.
Leitschuh said that he first warned Zoom about vulnerability in late March, a few weeks before the company's IPO in April, and was originally reported that the Zoom Security Engineer was "out of the office." A complete fix was introduced only after the vulnerability. was published (although a temporary fix was released this week).
"In the end, Zoom could not quickly confirm that the registered vulnerability actually existed, and they were not able to provide a timely correction to the problem that came to customers," he said. "The organization of this profile and with such a large user base should be more active in protecting their users from attack."
In his statement on Wednesday, CEO Zoom Eric S Yuan said that the company "misconstrued the situation and did not react very quickly – and this is for us. We take full ownership and learned a lot.
"I can tell you that we perceive user safety extremely seriously and we are sincerely committed to complying with our users' rights."
Other manufacturers have similar disadvantages?
Perhaps similar vulnerabilities may be present in other video conferencing applications, as suppliers try to simplify the process of joining the meetings.
– I have not tested other manufacturers, but I will not be surprised if they do it [have similar features]- said Lazar. "Zoom participants are trying to pick up a quick start time and video is the first experience, and most of them now allow you to quickly join the meeting by clicking on the calendar link."
Computer world He contacted other leading videoconferencing software vendors, including BlueJeans, Cisco and Microsoft, to ask if their desktop applications also require the installation of a web server similar to Zoom.
BlueJeans said that its desktop application, which also uses the launch service, can not be activated by malicious websites and stressed in a blog today that his application could be completely removed – including the removal of the launch service.
"The platform for meeting BlueJeans is not vulnerable to any of these issues," said Alag Periannan, technical director and co-founder.
BlueJeans users can either join a video call through a web browser that "uses browser permissions" to join a meeting – or with a desktop application.
"From the very beginning, our launch service was implemented with security as the peak of reason," Perianan said in an e-mail message. The Launch Service guarantees that only authorized BlueJeans websites (for example, bluejeans.com) can launch the BlueJeans desktop application in the meeting. Unlike the problem to which reference is made [Leitschuh]Malicious websites can not launch the BlueJeans desktop application.
"We continue to appreciate the improved interaction between the desktop and the browser (including the discussion in the article on CORS-RFC1918) to provide the best solution for users," Perianann said. which are inconvenient to use the launch service, they can work with our support team to disable the launch of the application for the desktop program. "
Cisco spokesman said that Webex "does not install or use a local Web server and this is not vulnerable."
Microsoft did not immediately respond to a comment request.
Backlighting the dangers of the IT shadow
Although the nature of Zoom's vulnerability has attracted attention, for large organizations, security risks go deeper than one software vulnerability, Newman said. "I think this is more of a SaaS problem and a shadow than a videoconferencing problem," he said. "Of course, if any part of the network equipment is not properly configured and protected, vulnerabilities will be detected. In some cases, even when properly configured, software and software from manufacturers can create vulnerabilities.
Zoom has been a significant success since its inception in 2011, with a number of large corporate clients including Nasdaq, 21streetCentury Fox and Delta. This was largely due to the "viral" adoption among employees, rather than the deployment of software from the top down, which is often required by IT departments.
This type of acceptance – which has attracted the popularity of programs such as Slack, Dropbox and others in large companies – can create calls for IT teams who want to tightly control the software used by staff, Newman said. When programs are not tested by IT, this leads to a "higher risk".
"Corporate applications need to have a marriage for convenience and security; This question shows that Zoom focuses more on the first than on the latter, – he said.
"This is part of the reason why I remain cheerful on the similar Webex and Microsoft Teams teams," Newman said. "These programs, as a rule, pass through IT and are checked by the relevant parties. In addition, these companies have a deep lane of security engineers who are focused on the safety of applications. "
He noted the initial response Zoom – that his "security engineer was out of office" and could not answer within a few days. "It's hard to imagine a similar reaction that can be tolerated in MSFT or [Cisco]. "
Join the newsletter!
<! – Weekly coverage of issues that affect corporate and government information ->
Error. Please check your email address.
Learn more about AppleBlue JeansCiscoDeltaDropboxEnterpriseIDGindeedMicrosoftNewmanNewsWebexZoom