According to foreign media reports, if you are a member of the millions of Zoom video conferencing users, and installed this application on the Mac, then the network system will advise you to check the settings. Make sure the camera is disabled by default. In the Settings Video section, you can find the checkbox for “Close video when joining a meeting.”
This is because the researcher Jonathan Leitschuh disclosed a serious security vulnerability in the Zoom application in accordance with the “zero-day method” rule, and advised users to update their applications when the company releases the patch.
The vulnerability exploits a schema vulnerability in Zoom. In this vulnerability, a web server installed to improve the user experience would expose the system to malicious attacks and the webcam could be activated. Essentially, by forcing a user to participate in a Zoom call to initiate a denial of service attack (because of a patch), and re-activating the uninstalled application, all of which do not require user permission.
Zoom explains that this is to improve the fragmented user experience and is a workaround for upgrading Safari 12, which is “a legitimate solution for a bad user experience that allows our users to join the conference seamlessly with one click. This is our key product differentiation.”
However, Jonathan Leitschuh said in his disclosure: “First, installing a Zoom application running a web server on my local machine and using a completely undocumented API feels very rough for me. Secondly, any website i visit can interact with this web server running on my machine. This is a huge danger signal for me as a security researcher.”
Jonathan Leitschuh accuses Zoom of using a local server to “make a huge goal behind the scenes” and put millions of users at risk of cyberattacks through a poorly-structured technology solution that improves the user experience. The excuse basically bypasses the security protection measures of the user’s browser. These safeguards are obviously well-founded.
Jonathan Leitschuh disclosed the issue to Zoom in March, saying: “Using the surprisingly simple and simple Zoom vulnerability, you only need to send a meeting link to anyone (eg https://zoom.us/j/) 492468757), when they open the link in the browser, their Zoom client can magically open on their local machine, which makes it easy for users to fall into danger.”
In the disclosure, Jonathan Leitschuh stated that Zoom postponed the handling of the vulnerability and did not begin discussing his findings until 90 days before the end of the 90-day unpublished “grace period”. Then, on June 24th, “after 90 days of waiting, the last day before the public disclosure deadline,” Zoom simply deployed the “quick solution” he had proposed to the company three months ago.
“At the end of the day, Zoom failed to quickly confirm that the reported vulnerabilities did exist, and they failed to deliver the solution to the customer in a timely manner. Organizations with such a large user base should have been more proactive in protecting them. Users are protected from attack.”
Skilled users can find and remove applications, but for the rest of us, we should change the video settings and keep the app updated. There is currently no indication that Zoom will make major technical changes to address this architectural weakness. Therefore, changing the video settings and keeping it changing seems to be the best way to avoid attacks.
In a statement, Zoom confirmed the issue and acknowledged that “if the attacker can entice the target user to click on the web link to the attacker’s Zoom conference, either in an email message or on a web server, the target user may Join the attacker’s Zoom conference without your knowledge.”
Zoom added that its July update “will apply and save video preferences from the first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to join the meeting. Turn off the video. This change will be applied to all client platforms.”
Zoom said: “We take all security issues related to our products very seriously and have a dedicated security team. We acknowledge that our website does not currently provide clear information for reporting security issues. In the coming weeks, Zoom will Use our public vulnerability reward program to complement our existing private rewards program.”
However, Jonathan Leitschuh is still skeptical about this and suggests switching to a “zero-day strategy”, which clearly ensures that such exposures are of concern.