Yesterday, Zoom released an emergency patch to address the zero-day vulnerability for Mac users which could hijack their computer. The fix is an instant reversal of Zoom’s previous stance, in which the company treated the security flaw as “low risk” and defended its use of a local web server that exposed Zoom users to cyber attacks.
The patch that was detailed in the latest update to Zoom’s blog post on the flaw, will now “remove the local web server entirely, once the Zoom client has been updated,” to take away the ability for a malicious third party to automatically activate webcams using a Zoom link.
After the fix was released, Zoom’s chief information security officer, Richard Farley, explained the thinking behind the company’s about face today:
“Ultimately, it’s based on based on the feedback of the people that have been following this and contributing to the discussion. Our original position was that installing this [web server] process in order to enable users to join the meeting without having to do these extra clicks — we believe that was the right decision. And it was [at] the request of some of our customers.
But we also recognize and respect the view of others that say they don’t want to have an extra process installed on their local machine. So that’s why we made the decision to remove that component — despite the fact that it’s going to require an extra click from Safari.”
Despite the claims that the web server Zoom had installed was “stripped down to its bare functionality” and was secure, the company decided to remove it.
Another concern related to the application is the ability to include Zoom links inside iframes inside web page. According to Richard Farley, Zoom won’t block that functionality because too many of its enterprise customers use iframes in their implementation of Zoom’s software.
Zoom’s directions for how to install it and/or remove the web server entirely are written below.
The patch that was planned for July 9 at or before 12:00 AM PT had to do the following:
1. Remove the local web server entirely, once the Zoom client has been updated – We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device.
2. Allow users to manually uninstall Zoom – We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.
Following an earlier post from Jonathan Leitschuh, Zoom said it would be launching an update later this month that would let users save video call preferences to make it so webcams can stay off whenever joining a new call. This worked by carrying over your preferences to new calls, including the ones that could be masked spam links created to get you to click and accidentally activate your webcam.
Yet, when talking about security issues, we could also consider other pieces of software which install web server processes or other hidden “helper” software. As Farley stated in Zoom’s original defense of the practice, “We are not alone among video conferencing providers in implementing this solution.” As others have noted on Twitter, the practice extends well beyond video conference software, as well.