Zoom Vulnerability (fixed)

[UPDATE 9:56 AM EST, Tuesday 7/16]:

  1. Zoom has pushed out an update for Mac AND every other platform (e.g., Windows computers, Android and Apple tablets and smart phones). Users are being prompted to install this update after leaving a session (or if on a mobile device, the updates are installed automatically if the user’s Google Play Store or App Store settings allow it).
  2. In the new update, cameras are disabled by default; you will have to click the “Start Video” button in order to start your camera.

Summary:

On Tuesday night, July 9th, we became aware of a security vulnerability within Zoom, the video platform we use. This vulnerability, affecting Mac/Apple users only, would allow malicious people to access your camera after you click a malicious link or visit a malicious website. We’ve been keeping an eye on it since – it was quickly resolved by the work of both the Zoom team and the Apple team.

We value your security like it’s our own. When we heard of this issue, we immediately started learning more. By the time we had a complete understanding of the issue and the various responses, Zoom and Apple had already worked to address it. When starting Zoom, MAC users may be prompted to download the latest version. You can also download the latest secure version of Zoom here: zoom.us/download

To reiterate, as of now, the issue has been resolved. But we felt it was important for you to be aware of this, to hear it from us, and to know that we were looking out for you.

Details:

On Tuesday night, we came across this tweet:

 

Jonathan Leitschuh explains in a post on medium.com how he thought to look for the vulnerability, how he found it, he explained he notified Zoom and gave them 90 days to fix it before he’d go public about it. You can read all of that here: Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

The issue was three fold:

“*This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.

*On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

*Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.”

We then looked into the response from Zoom. They acknowledged the issue and set out to fix it.

Response to Video On Concern

In short, they changed Zoom so that you must click to enter a video call. Some clients may find this to be a slight annoyance, but this prevents your video from starting without your consent upon clicking a malicious link.

 

Additionally, Apple decided to step in regardless, launching a silent update for Macs that removes Zoom’s web server functionality altogether. Read more on Mashable.com: Apple took action to fix Zoom flaw…

As of now, the vulnerability has been dealt with and Apple has removed the most glaring vulnerability in a silent upgrade.

Despite that, we felt it was appropriate to notify you of this issue and let you know we’ve been monitoring it. We would still advise you to update your Zoom app to the latest version. If the app has not prompted you do so the latest secure version can be found here: zoom.us/download. You can also chech for updates from your Zoom App as seen here:

You can prevent Zoom from automatically starting video by selecting “Turn off my video when joining a meeting” in Settings > Video. With this checked you can choose whether to join by video for each meeting:

If you have any further questions, please email us at ProviderSupport@itherapy.com

Thank you.