In an embarrassing twist on the week long saga of Zoom's vulnerable web conferencing app, Apple has issued a "silent" update that automatically removes the software's hidden web server from Macs.
Zoom launched its own solution to do the same same day the day before, July 9, 2019, but Apple remains confident that these protected users who either hadn't updated the software or had deleted it before the company took this action.
Remove Something Hidden from a platform that Apple's not a good look, and to add insult to injury according to Apple's expert Patrick Wardle was removed using MacOS Malware Removal Tool (MRT).
Zoom later said that it had worked with Apple to "test" the removal update, even to someone who sounds like a face-saving statement about the obvious.
Rinse and Repeat
It is fair to say the last week was not good for all jobs at Zoom, whose web conferencing software boasts having over four million users on desktop and mobile platforms, including Windows ( Some of the users are also affected.)
The timeline of the vulnerabilities identified in Zoom and its responses to it has become quite confusing since the news of the issue was released on July 8, 2019 by researcher Jonathan Leitschuh.
Naked Security has already covered much of this in a previous story, including some basic limitations to it.
We will summarize the ever-confusing story since that coverage by noting that the vulnerabilities have now generated three advices:
- CVE-2019-13449 (the original denial of service denial),
- CVE -2019-13567 (webcam takeover, unpatched but reduced by removing the web server described above) and
- CVE-2019-13567 (a convention that allows remote code execution).
The first and third issues should be solved by updating to the Zoom client version 4.4.2 on macOS (the software is also re-branded by RingCentral, in which case it is version 7.0.136380.0312).
Programs are affected by security issues all the time, but the Leitschuh account offered by his attempts to get the company's attention when he first discovered the problem in March 2019, does not read well.
First, it took weeks to get an answer before saying that the company offered him a rebate on condition that he did not publish the problem.
After some toing-and-froing and the expiration of Leitschuh's 90-day disclosure, a "fix" was issued which turned out to have a solution, at which time he made the mistakes public.
Tweeted Leitschuh July 8, 2019:
Jonathan Leitschuh (@JLLeitschuh) July 8, 2019
Zoom responded in a statement, and admitted that the site does not "do it" t provide clear information to report security issues, "and announces any plans to launch a public bug-bounty program.
It also painted a smaller tardy image of its response to The errors, without explaining why their engineers took the challengingly risky step to run a local web server with a non-documented API in the first place.
For their part, Leitschuh recommends reporting errors using third-party bug-bounty programs instead for via Zoom, anyway, with researchers all over the software like u Slowly, Zoom has a job on your hands to restore confidence.