Jump to content
Sign in to follow this  
Doc Justice

Zoom.us Security Flaw

Recommended Posts

https://lifehacker.com/remove-zoom-from-your-mac-right-now-1836209383

 

If you've been following the news about Zoom's security flaws, you'll want to remove the applications from your computer as soon as possible.

 

Sounderday participants can still use Zoom, but are encourage to either use the browser or mobile versions.

Share this post


Link to post
Share on other sites

Thank you, Doc, for bringing this up, but this doesn't tell the whole story by any means. First of all, the vulnerability that this one person so publicly declared yesterday, came right on the heels of Motley Fool issuing a stock recommendation for Zoom  ---  there has been quite a lot of speculation that this public airing of a software vulnerability was tied to a stock scam (shorting the stock on the "news"). Also, after all the research that I have done over the last two days, there does not seem to be any reports of this vulnerability having been exploited. The person who made this all public has really only demonstrated what is referred to as a Proof of Concept after a very detailed analysis of the software architecture. I am not saying the vulnerability did not exist, I am just saying that it has not been reported to have ever compromised anyone's Mac. Additionally, the whole Zoom routine is application based, not browser based, and it is not possible to use Zoom from just the browser  ----  browser access, with a link, is provided, but that just downloads the application to allow you to join a meeting. CORRECTION: Zoom DOES provide access with only the browser  ---  I was mistaken on this. There is some speculation (I have not confirmed) that depending on what browser you are using, Zoom may download and insert a small applet to establish proper browser access. Also, using Zoom via the web has limited functions, can only view one participant on screen, may not work properly with older version of Safari, and so on and so on. The application does not have the vulnerabilities on Windows based computers. Lastly, it seems that the current version of Zoom software application has fixed the issue so everyone is probably safe if you update to the current version.

 

This is a LINK to most complete article regarding the discovery of the Zoom vulnerability. It’s a rather comprehensive read that you may not even want to bother with but here it is. Another article I just read made suggestions of other video conferencing software for those wanting to abandon Zoom  --- problem is, with a little research I discovered that two of the recommendations have exactly the same vulnerability!

 

Another article trying to promote other competitive video conferencing services said the following:

 

"So there you have it--a look at three alternatives to Zoom that, in some cases, might deliver the same or even better performance than what you're getting now.

 

Of course, if you feel like you can't leave Zoom, there's a good chance that the problems will be fixed soon. And if you turn off the feature that automatically turns on the webcam when you start a meeting, you won't suffer from the problem."

 

I think we are all in more jeopardy just using Google and being on Facebook!

Share this post


Link to post
Share on other sites

Sorry to chime in late, It's being a really hectic week (my father passed away on Sunday) so I didn't follow the news much.

 

The vulnerability is a serious design flaw because it launches a web server in the user's computer. That server is only accessible form the local computer. You can't connect to it from the Internet, but it's possible from a program running in your computer. So it is still available, for example, to your web browser. Remember that web browers are not just document viewers. Many years ago a programming language was added (JavaScript) so it can be a dangerous combination. 

 

Although Zoom's response to the first disclosure was far from stellar (at first it seems they were unable to understand why launching that web server is an Extremely Bad Idea™) they have now released an update that solves the issue. Getting rid of the software is also easier thanks to a comprehensive uninstaller.

 



Release notes of 4.4.53932.0709:
Remove local web server
-We are discontinuing the use of a local web server on Mac devices.
Following the update, the local web server will be completely removed
from the Zoom installation
Option to uninstall Zoom
-Zoom users can now uninstall the Zoom desktop application and all of
its components through the settings menu

 

Some colleagues who were using it have confirmed that indeed the web server is done. And hopefully Zoom have learned a hard lesson.

 

Share this post


Link to post
Share on other sites
9 minutes ago, Doc Justice said:

Apple themselves seem to have now gotten involved to protect Mac users:

 

https://www.engadget.com/2019/07/10/apple-mac-update-removes-zoom-exploit/

 

Hopefully the mess is fully cleaned up.

You beat me to it:

 

Apple removes Zoom web server in stealth Mac update
http://appleinsider.com/articles/19/07/10/apple-removes-zoom-web-server-in-stealth-mac-update

Share this post


Link to post
Share on other sites

Good article detailing the history and current state of Zoom software issue.

 

excerpt from the article on The Verge website:

 

After all of the drama over Zoom’s use of a hidden web server on Macs, Apple itself has decided to step in, TechCrunch reports. It is issuing a silent update — meaning your Mac will get it without any interaction on your part — to remove the web server, which was designed to save Safari users an extra click, from any Mac that has Zoom’s software installed.

Although Zoom itself issued an emergency patch yesterday to remove that web server, apparently Apple is concerned that enough users won’t update or are unaware of the controversy in the first place that it’s issuing its own patch. It makes perfect sense not only because many users may not open Zoom for some time, but also because many of them had uninstalled the app. Before Zoom’s emergency update, uninstalling the app left the web server on your computer — so Zoom wouldn’t have a way to uninstall it with an updated app. That means the only reasonable and easy way for those people to get this patch would be for Apple to provide it. Apple reportedly believes this software update shouldn’t affect Zoom’s ability to function on Macs.

 

Full LINK to article

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...