Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/9/2019
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Zoom Client for Mac Exposing Users to Serious Risks

Videoconferencing software maker downplays risks and says mitigations are on the way.

Zoom Video Communications today announced changes to its videoconferencing client for Mac systems after a security researcher disclosed vulnerabilities in the software that, among other things, allows attackers to force users into video meetings without their permission.

Zoom acknowledged the issues in a blog post but described them as presenting less of a threat to Mac users than reported by Gradle security researcher Jonathan Leitschuh. Zoom, whose software is used by millions of Mac users, also announced changes to its bug bounty program to make it easier for security researchers to disclose vulnerabilities to the company.

Yesterday, Leitschuh disclosed a trio of issues in the Mac Zoom Client that he said put an estimated 4.5 million users — including some 750,000 organizations — at risk of information disclosure and other threats.

The most serious is a vulnerability that gives attackers a way to forcibly join a user to a Zoom video call even when that person did not grant permission for it. The problem has to do with a local Web server that Zoom installs on Macs.

According to Zoom, the Web server allows users using the Safari browser to join Zoom meetings without having to confirm they want to start the Zoom client first each time.

From a security standpoint, the problem is that any website a Mac user visits can also interact with the Web server, Leitschuh said in his post. This gives attackers an opportunity to use the Web server to get Mac users to join meetings without their permission, according to Leitschuh, who released proof-of-concept code showing how such a hack would work.

"All a website would need to do is embed [the code] in their website and any Zoom user will be instantly connected with their video running," Leitschuh said. "This could be embedded in malicious ads, or it could be used as a part of a phishing campaign."

What makes matters worse is the fact that the Web server remains on the system even if a user uninstalls the Zoom client. The Web server is designed to automatically reinstall the Zoom client without any user interaction at all, leaving open the possibility for future abuse, the security researcher said. "Having every Zoom user have a Web server that accepts HTTP GET requests that trigger code outside of the browser sandbox is painting a huge target on the back of Zoom," according to Leitschuh.

One example Leitschuh highlighted is of attackers being able to execute a denial-of-service attack on a Mac simply by repeatedly pinging the Zoom Web server with requests for a bad number. That particular issue existed in Zoom's Client version 4.4.2 and has since been addressed via a patch that Zoom issued in May, he said.

Feature or Bug?
In its blog, Zoom acknowledged that if a user has not configured the Zoom client to disable video when joining a meeting, an attacker might be able to view his video feed. However, by disabling the auto-starting of video, users can mitigate the threat. Also, because the Zoom client is visible to the user when it launches, any attempt to force a user into a video meeting would also become immediately apparent to the user, who could then shut it down immediately.

Zoom described the Web server as being of limited functionality and able to respond only to requests from the local machine. The company said the Web server was a legitimate approach to enabling users on Safari to join meetings with just one click. Other videoconferencing software tools have a similar feature, the company said.

At the same time, Zoom acknowledged it currently does not offer users an easy way to uninstall both the client and Web server components from their systems. To address that issue, the company will introduce a new uninstaller for Mac later this month that also will give users more control over their video settings. Users will be able to set their video preferences from their first Zoom meeting, and those preferences will stick for all future meetings unless they change them.

The fact that Zoom installs a local Web server by itself is not bad, says Tod Beardsley, research director at Rapid7.

The local server offers a way to address the different ways different browsers enforce same origin policies when it comes to "localhost," he says. But "it's definitely bad that it doesn't uninstall when the application is uninstalled, since now the user is left with a running local Web server they don't know about," he says. An attacker armed with an exploit could deliver it via an iframe, for instance, that would run on the local Web server without the user's knowledge.

Boris Cipot, senior security engineer at Synopsys, says in addition to disabling the auto-start video function in Zoom, users should also monitor Zoom for any notifications and patches for the issues disclosed this week.

"If you don't normally use Zoom and it just happened that you were invited in a Zoom session, you have the risk the vulnerability also on your device," he says. "This means that you are now a potential target for someone who wants to use this vulnerability as well."  

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.