Recent revelations regarding privacy vulnerabilities in the widely-used Zoom video conferencing software have raised significant alarm across both personal and corporate sectors. The disclosed vulnerabilities have not only highlighted potential risks to user privacy but have also indicated serious threats to device security, especially for Mac users.
The core issue centers around a local web server that the Zoom software installs on users’ machines. This server, which is designed to facilitate the application’s click-to-join feature, has been identified as enabling unauthorized access to webcams and providing hackers with remote control over systems running Apple’s macOS. This opens a pathway for threats related to initial access and privilege escalation, two crucial tactics identified in the MITRE ATT&CK framework.
In addition to the original vulnerability (CVE-2019-13450), a new flaw (CVE-2019-13567) has been reported, which allows remote attackers to execute arbitrary code on targeted devices merely by tricking users into visiting seemingly innocuous web pages. This breach paves the way for further escalation tactics and illustrates the multifaceted nature of the risk posed.
Security researcher Jonathan Leitschuh first brought attention to these vulnerabilities, emphasizing that the insecure commands received by the local server over HTTP could be exploited by any visiting site. Additionally, this web server does not uninstall even if users delete the Zoom client, leaving lingering vulnerabilities that could be exploited long after uninstallation.
In response to public outrage and potential liability, Zoom initiated an emergency update aimed at eradicating the vulnerable web server component known as the ZoomOpener daemon. However, this update does not safeguard former users who have uninstalled the application yet have the insecure server left running, allowing them to remain susceptible to attacks based on the newly discovered remote code execution flaw.
In a surprising move to assist affected users, Apple has intervened by deploying an automatic update for all macOS users that removes the Zoom web server without requiring any action from users, regardless of their current need for the Zoom application. This update highlights the cross-company collaboration necessary to handle cybersecurity challenges effectively.
Despite a lack of detailed technical information regarding the new remote code execution vulnerability, researchers confirmed the existence of a proof-of-concept exploit, further validating the severity of the situation. As the landscape of cybersecurity continues to evolve, this incident serves as a cautionary tale for business owners who depend on reliable video conferencing tools.
To mitigate risks stemming from both identified vulnerabilities, it is recommended that all Zoom users promptly apply the latest software updates or, alternatively, utilize the browser version of the Zoom client. Staying informed about these vulnerabilities and understanding the associated risks is crucial for safeguarding organizational resources against future cyber threats.