Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/9/2019
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Zoom Client for Mac Exposing Users to Serious Risks

Videoconferencing software maker downplays risks and says mitigations are on the way.

Zoom Video Communications today announced changes to its videoconferencing client for Mac systems after a security researcher disclosed vulnerabilities in the software that, among other things, allows attackers to force users into video meetings without their permission.

Zoom acknowledged the issues in a blog post but described them as presenting less of a threat to Mac users than reported by Gradle security researcher Jonathan Leitschuh. Zoom, whose software is used by millions of Mac users, also announced changes to its bug bounty program to make it easier for security researchers to disclose vulnerabilities to the company.

Yesterday, Leitschuh disclosed a trio of issues in the Mac Zoom Client that he said put an estimated 4.5 million users — including some 750,000 organizations — at risk of information disclosure and other threats.

The most serious is a vulnerability that gives attackers a way to forcibly join a user to a Zoom video call even when that person did not grant permission for it. The problem has to do with a local Web server that Zoom installs on Macs.

According to Zoom, the Web server allows users using the Safari browser to join Zoom meetings without having to confirm they want to start the Zoom client first each time.

From a security standpoint, the problem is that any website a Mac user visits can also interact with the Web server, Leitschuh said in his post. This gives attackers an opportunity to use the Web server to get Mac users to join meetings without their permission, according to Leitschuh, who released proof-of-concept code showing how such a hack would work.

"All a website would need to do is embed [the code] in their website and any Zoom user will be instantly connected with their video running," Leitschuh said. "This could be embedded in malicious ads, or it could be used as a part of a phishing campaign."

What makes matters worse is the fact that the Web server remains on the system even if a user uninstalls the Zoom client. The Web server is designed to automatically reinstall the Zoom client without any user interaction at all, leaving open the possibility for future abuse, the security researcher said. "Having every Zoom user have a Web server that accepts HTTP GET requests that trigger code outside of the browser sandbox is painting a huge target on the back of Zoom," according to Leitschuh.

One example Leitschuh highlighted is of attackers being able to execute a denial-of-service attack on a Mac simply by repeatedly pinging the Zoom Web server with requests for a bad number. That particular issue existed in Zoom's Client version 4.4.2 and has since been addressed via a patch that Zoom issued in May, he said.

Feature or Bug?
In its blog, Zoom acknowledged that if a user has not configured the Zoom client to disable video when joining a meeting, an attacker might be able to view his video feed. However, by disabling the auto-starting of video, users can mitigate the threat. Also, because the Zoom client is visible to the user when it launches, any attempt to force a user into a video meeting would also become immediately apparent to the user, who could then shut it down immediately.

Zoom described the Web server as being of limited functionality and able to respond only to requests from the local machine. The company said the Web server was a legitimate approach to enabling users on Safari to join meetings with just one click. Other videoconferencing software tools have a similar feature, the company said.

At the same time, Zoom acknowledged it currently does not offer users an easy way to uninstall both the client and Web server components from their systems. To address that issue, the company will introduce a new uninstaller for Mac later this month that also will give users more control over their video settings. Users will be able to set their video preferences from their first Zoom meeting, and those preferences will stick for all future meetings unless they change them.

The fact that Zoom installs a local Web server by itself is not bad, says Tod Beardsley, research director at Rapid7.

The local server offers a way to address the different ways different browsers enforce same origin policies when it comes to "localhost," he says. But "it's definitely bad that it doesn't uninstall when the application is uninstalled, since now the user is left with a running local Web server they don't know about," he says. An attacker armed with an exploit could deliver it via an iframe, for instance, that would run on the local Web server without the user's knowledge.

Boris Cipot, senior security engineer at Synopsys, says in addition to disabling the auto-start video function in Zoom, users should also monitor Zoom for any notifications and patches for the issues disclosed this week.

"If you don't normally use Zoom and it just happened that you were invited in a Zoom session, you have the risk the vulnerability also on your device," he says. "This means that you are now a potential target for someone who wants to use this vulnerability as well."  

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-5271
PUBLISHED: 2019-11-12
Pacemaker before 1.1.6 configure script creates temporary files insecurely
CVE-2014-3599
PUBLISHED: 2019-11-12
HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
CVE-2014-7143
PUBLISHED: 2019-11-12
Python Twisted 14.0 trustRoot is not respected in HTTP client
CVE-2018-18819
PUBLISHED: 2019-11-12
A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creat...
CVE-2019-18658
PUBLISHED: 2019-11-12
In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlin...