Zoom Video Communications today announced changes to its videoconferencing client for Mac systems after a security researcher disclosed vulnerabilities in the software that, among other things, allows attackers to force users into video meetings without their permission.
Zoom acknowledged the issues in a blog post but described them as presenting less of a threat to Mac users than reported by Gradle security researcher Jonathan Leitschuh. Zoom, whose software is used by millions of Mac users, also announced changes to its bug bounty program to make it easier for security researchers to disclose vulnerabilities to the company.
Yesterday, Leitschuh disclosed a trio of issues in the Mac Zoom Client that he said put an estimated 4.5 million users — including some 750,000 organizations — at risk of information disclosure and other threats.
The most serious is a vulnerability that gives attackers a way to forcibly join a user to a Zoom video call even when that person did not grant permission for it. The problem has to do with a local Web server that Zoom installs on Macs.
According to Zoom, the Web server allows users using the Safari browser to join Zoom meetings without having to confirm they want to start the Zoom client first each time.
From a security standpoint, the problem is that any website a Mac user visits can also interact with the Web server, Leitschuh said in his post. This gives attackers an opportunity to use the Web server to get Mac users to join meetings without their permission, according to Leitschuh, who released proof-of-concept code showing how such a hack would work.
"All a website would need to do is embed [the code] in their website and any Zoom user will be instantly connected with their video running," Leitschuh said. "This could be embedded in malicious ads, or it could be used as a part of a phishing campaign."
What makes matters worse is the fact that the Web server remains on the system even if a user uninstalls the Zoom client. The Web server is designed to automatically reinstall the Zoom client without any user interaction at all, leaving open the possibility for future abuse, the security researcher said. "Having every Zoom user have a Web server that accepts HTTP GET requests that trigger code outside of the browser sandbox is painting a huge target on the back of Zoom," according to Leitschuh.
One example Leitschuh highlighted is of attackers being able to execute a denial-of-service attack on a Mac simply by repeatedly pinging the Zoom Web server with requests for a bad number. That particular issue existed in Zoom's Client version 4.4.2 and has since been addressed via a patch that Zoom issued in May, he said.
Feature or Bug?
In its blog, Zoom acknowledged that if a user has not configured the Zoom client to disable video when joining a meeting, an attacker might be able to view his video feed. However, by disabling the auto-starting of video, users can mitigate the threat. Also, because the Zoom client is visible to the user when it launches, any attempt to force a user into a video meeting would also become immediately apparent to the user, who could then shut it down immediately.
Zoom described the Web server as being of limited functionality and able to respond only to requests from the local machine. The company said the Web server was a legitimate approach to enabling users on Safari to join meetings with just one click. Other videoconferencing software tools have a similar feature, the company said.
At the same time, Zoom acknowledged it currently does not offer users an easy way to uninstall both the client and Web server components from their systems. To address that issue, the company will introduce a new uninstaller for Mac later this month that also will give users more control over their video settings. Users will be able to set their video preferences from their first Zoom meeting, and those preferences will stick for all future meetings unless they change them.
The fact that Zoom installs a local Web server by itself is not bad, says Tod Beardsley, research director at Rapid7.
The local server offers a way to address the different ways different browsers enforce same origin policies when it comes to "localhost," he says. But "it's definitely bad that it doesn't uninstall when the application is uninstalled, since now the user is left with a running local Web server they don't know about," he says. An attacker armed with an exploit could deliver it via an iframe, for instance, that would run on the local Web server without the user's knowledge.
Boris Cipot, senior security engineer at Synopsys, says in addition to disabling the auto-start video function in Zoom, users should also monitor Zoom for any notifications and patches for the issues disclosed this week.
"If you don't normally use Zoom and it just happened that you were invited in a Zoom session, you have the risk the vulnerability also on your device," he says. "This means that you are now a potential target for someone who wants to use this vulnerability as well."
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.