![](\"https:\/\/images.techhive.com\/images\/article\/2017\/05\/threat-spy-unsecure-hack-100722101-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Matthew Finnegan| Date: Thu, 11 Jul 2019 11:51:00 -0700<\/strong><\/p>\n Zoom released a patch this week to fix a security flaw in the Mac version of its desktop video chat app that could allow hackers to take control of a user\u2019s webcam.\u00a0<\/p>\n The vulnerability was discovered by security researcher Jonathan Leitschuh, who published information about it in a\u00a0blog post<\/a> Monday. The flaw potentially affected 750,000 companies and approximately 4 million individuals using Zoom, Leitschuh said.<\/p>\n Zoom said it\u2019s seen \u201cno indication\u201d any users were affected. But concerns about the flaw and how it works raised questions about whether other similar apps could be equally vulnerable.<\/p>\n The flaw involves a feature in the Zoom app that lets users quickly join a video call with one click, thanks to a unique URL link that immediately launches the user into a video meeting. (The feature is designed to launch the app quickly and seamlessly for a better user experience.) Although Zoom gives users the option to keep their camera off before joining a call \u2013 and users can later turn the camera off in the app\u2019s settings \u2013 the default is to have the camera on.<\/p>\n Users need to check this box in the Zoom app to shut down access to the camera.<\/p>\n Leitschuh argued that the feature could be used for nefarious purposes. By directing a user to a site containing a quick-join link embedded and hidden in the site\u2019s code, the Zoom app could be launched by an attacker, in the process switching the camera and\/or microphone on without a user\u2019s permission. That\u2019s possible because Zoom also installs a web server when the desktop app is downloaded.<\/p>\n Once installed, the web server remains on the device \u2013 even after the Zoom app has been deleted.<\/p>\n After publication of Leitschuh\u2019s post, Zoom downplayed concerns about the web server. On Tuesday, however, the company announced it would issue an emergency patch to remove the web server from Mac devices. \u00a0<\/p>\n \u201cInitially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,\u201d Zoom CISO Richard Farley, said in a blog post<\/a>. \u201cBut in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.\u201d\u00a0<\/p>\n Apple also released a \u201csilent\u201d update on Wednesday that ensures the web server is removed on all Mac devices, according to Techcrunch<\/em><\/a>. That update would also help protect users who deleted the Zoom.<\/p>\n There have been varying levels of concern about the severity of the vulnerability. According to Buzzfeed News<\/em><\/a>, Leitschuh classified its seriousness at 8.5 out of 10; Zoom rated the flaw at 3.1 following its own review.<\/p>\n Irwin Lazar, vice president and service director at Nemertes Research, said the vulnerability itself should not be a major cause of concern for enterprises, as users would quickly notice the Zoom app being launched on their desktop.<\/p>\n \u201cI don’t think this is very significant,\u201d he said.\u00a0\u201cThe risk is that someone clicks on a link pretending to be for a meeting, then their Zoom client starts and connects them into the meeting.\u201d\u00a0If video has been configured as on by default, a user would be seen until they realized they had inadvertently joined a meeting.\u00a0\u201cThey would notice the Zoom client activating, and they would immediately see that they have been joined into a meeting.\u00a0<\/p>\n \u201cAt worst, they are on camera for a few seconds before they leave the meeting,\u201d Lazar said.<\/p>\n While the vulnerability itself isn\u2019t known to have created problems, the time taken by Zoom to respond to the issue is more of a concern, said Daniel Newman, Founding Partner\/Principal Analyst at Futurum Research.<\/p>\n \u201cThere are two ways of looking at this,\u201d Newman said. \u201cAs of [Wednesday], based upon the patch that was released [Tuesday], the vulnerability isn’t that significant.<\/p>\n \u201cHowever, what is significant for enterprise customers is how this issue dragged out for months without resolution, how the initial patches were able to be rolled back re-creating the vulnerability and now having to ask if this newest patch will indeed be a permanent solution,\u201d Newman said.<\/p>\n Leitschuh said he first warned Zoom about the vulnerability in late March, a few weeks prior to the company\u2019s IPO in April, and was initially informed that Zoom\u2019s security engineer was \u201cout of office.\u201d A full fix was only put in place after the vulnerability was made public (though a temporary fix was rolled out before this week).<\/p>\n \u201cUltimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner,\u201d he said. \u201cAn organization of this profile and with such a large user base should have been more proactive in protecting their users from attack.\u201d<\/p>\n In a statement Wednesday, Zoom CEO Eric S Yuan said the company had \u201cmisjudged the situation and did not respond quickly enough \u2013 and that\u2019s on us.\u00a0We take full ownership and we\u2019ve learned a great deal.<\/p>\n \u201cWhat I can tell you is that we take user security incredibly seriously and we are wholeheartedly committed to doing right by our users.\u201d<\/p>\n It is possible that similar vulnerabilities could be present in other videoconferencing applications too, as vendors attempt to streamline the process of joining meetings.<\/p>\n \u201cI haven’t tested other vendors, but I wouldn’t be surprised if they do [have similar features],\u201d said Lazar. \u201cZoom competitors have been trying to match their fast start times and video-first experience, and most everyone now enables the ability to quickly join a meeting by clicking on a calendar link.\u201d<\/p>\n Computerworld\u00a0<\/em>contacted other leading videoconferencing software vendors, including BlueJeans, Cisco and Microsoft, to ask whether their desktop apps also require the installation of a web server like the one from Zoom.<\/p>\n BlueJeans said its desktop app, which also uses a launcher service, cannot be activated by malicious websites and stressed in a blog post today<\/a> that its app can be completely uninstalled \u2013 including the removal of the launcher service.<\/p>\n \u201cThe BlueJeans meeting platform is not vulnerable to either of these issues,\u201d said Alagu Periyannan, the company’s CTO and co-founder.<\/p>\n BlueJeans users can either join a video call via a web browser \u2013 which \u201cleverages the browsers\u2019 native permission flows\u201d to join a meeting \u2013 or by using the desktop app.<\/p>\n \u201cFrom the beginning our launcher service was implemented with security as top of mind,\u201d Periyannan said in an emailed statement. \u201cThe launcher service ensures that only BlueJeans authorized websites (e.g. bluejeans.com) can launch the BlueJeans desktop app into a meeting. Unlike the issue referenced by [Leitschuh], malicious websites cannot launch the BlueJeans desktop app.<\/p>\n \u201cAs an ongoing effort we continue to evaluate browser-desktop interaction improvements (including the discussion raised in the article around CORS-RFC1918) to ensure we are offering the best possible solution for users,” Periyannan said. \u201cIn addition, for any customers who are uncomfortable with using the launcher service, they can work with our support team to have the launcher disabled for the desktop app.\u201d<\/p>\n A Cisco spokesperson said its Webex product does \u201cnot install or use a local web server, and it is not impacted by this vulnerability.\u201d<\/p>\n Microsoft did not immediately respond to a request for comment.<\/p>\n While the nature of the Zoom vulnerability attracted attention, for large organizations the security risks go deeper than one software vulnerability, said Newman. \u201cI believe this is more of a SaaS\u00a0and shadow IT problem than a video conferencing problem,\u201d he said. \u201cOf course, if any piece of networking equipment isn’t properly set up and secured, vulnerabilities will be exposed. In some cases, even when set up correctly, software and firmware from the manufacturers can create issues that lead to vulnerabilities.\u201d<\/p>\n Zoom has enjoyed significant success since its creation in 2011, with a range of large enterprise customers that includes Nasdaq, 21st<\/sup>Century Fox and Delta. This has largely been because of word-of-mouth, \u201cviral\u201d adoption among employees, rather than top-down software rollouts often mandated by IT departments.<\/p>\n That manner of adoption \u2013 which drove the popularity of apps like Slack, Dropbox and others at large companies \u2013 can create challenges for IT teams that want tight control of software used by staff, said Newman. When apps aren’t vetted by IT, this leads to \u201cgreater levels of risk.\u201d<\/p>\n \u201cEnterprise applications need to have a marriage of usability and security; this particular issue shows that Zoom has clearly focused more on the former than the latter,\u201d he said.<\/p>\n \u201cThis is part of the reason I stay bullish on the likes of Webex Teams and Microsoft Teams,\u201d Newman said. \u201cThose applications tend to enter through IT and are vetted by the appropriate parties. Furthermore, those companies have a deep bench of security engineers that are focused on application safety.\u201d<\/p>\n He noted Zoom’s initial response \u2013 that its “Security Engineer was out of the office” and unable to reply for several days. \u201cIt’s hard to imagine a similar response being tolerated at MSFT or [Cisco].\u201d<\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Matthew Finnegan| Date: Thu, 11 Jul 2019 11:51:00 -0700<\/strong><\/p>\n Zoom released a patch this week to fix a security flaw in the Mac version of its desktop video chat app that could allow hackers to take control of a user\u2019s webcam.\u00a0<\/p>\n The vulnerability was discovered by security researcher Jonathan Leitschuh, who published information about it in a\u00a0blog post<\/a> Monday. The flaw potentially affected 750,000 companies and approximately 4 million individuals using Zoom, Leitschuh said.<\/p>\n<\/p>\n