Mac Zoom Client Vulnerability

7/11/2019 9:54am

Ars Technica reported this evening in its article Silent Mac Update Nukes Dangerous Webserver Installed by Zoom that "Apple delivered the silent update automatically, meaning there was no notification or action required of end users. Apple's update causes Zoom users who click on a conference link to receive a prompt requiring them to confirm they want to join. Previously, clicking on a link—or even encountering a link hidden in a malicious website—automatically opened Zoom and put them into the conference."

To confirm that Apple's update is applied, open Terminal and type:
softwareupdate --history
And look for:
MRTConfigData 1.45


According to software security researcher Jonathan Leitschuh, a vulnerability in the Mac Zoom client may allow a malicious website to push you into a Zoom meeting with your camera enabled, without your permission. Technical details of his findings can be read at his Medium post: Zoom Zero Day.

How might this affect you? If you were tricked into clicking a web link to the attacker’s Zoom meeting and joined it, the attacker might be able to see your video feed if you have not configured your Zoom client to disable video upon joining meetings.

Zoom issued a response to this video-on concern, in which they pointed out that "because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately. Also of note, we have no indication that this has ever happened."

Key take-aways:

  • This affects only Mac Zoom client apps (including RingCentral, which repackages Zoom).
  • As a precaution, Mac Zoom users can disable the feature that starts video by default when opening Zoom. Others may want to take this opportunity to do so if they rarely use the video option. (see image below)
  • If you’ve ever installed the Zoom client and then uninstalled it, you could still have a localhost web server on your machine that will re-install the Zoom client without requiring any interaction on your part aside from visiting a webpage. We are checking with Zoom about this issue.
  • The Service Center is available to assist with settings, either remotely or at their service desk in Page-Robinson Hall. Visit it.brown.edu/get-help for phone, chat and email contact information as well as directions.

Zoom video settings, highlighting "Turn off my video when joining a meeting"

General Alert
Security Alert

Written by pfalcon@brown.edu on