Zoom Webconference Vulnerability

I assume the Tidbits wizards (minor wizards?) are working on an article re: this newly revealed vulnerability in the Mac version of Zoom’s webconference tool.

I have Zoom installed on one of my iMacs (albeit one with a post-it note covering the camera). I guess it sometimes pays to be paranoid.

After a lengthy discussion by the author of that article with engineers and the CEO of Zoom (using a Zoom conference) I believe a meeting of the minds has been reached to resolve all current concerns. There have been at least two updates released today, the last of which should satisfy everybody.

Very true, they will rip out the web server. But the fact that they installed something on computers in order to get around a security mechanism speaks volumes about the trustworthiness of this company.

Jonathan Leitschuh, who first brought this issue to light, has discovered that the Web server Zoom installed had a remote code execution vulnerability. No need to update the article since Apple has taken care of it, but sheesh.

Discovered today that the Apple fix did not resolve the same issue regarding the RingCentral vulnerability. RingCentral users need to upgrade to eliminate the problem.

Quote from Zoom’s initial response to Leitschuh’s disclosure:

Second, when Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device to help launch Zoom meetings. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings.

It’s remarkable how inconsiderate and ignorant some companies act, and how they all to often invoke the magical buzzword-du-jour, “user experience,” as an excuse for circumventing meaningful security mechanisms, etc. — and, of course, do so without even making users aware of this.

One wonders if this comment from Zoom’s follow-up blog post, then, is quite audacious or just foolish:

What I can tell you is that we take user security incredibly seriously and we are wholeheartedly committed to doing right by our users.