Zoom finally released patches for two long-ago reported vulnerabilities in their platform including one which allow malicious websites to enable your camera without permission exposing up to 750,000 companies around the world.
Software Engineer Jonathan Leitschuh discovered two vulnerabilities in the Mac Zoom Client back in March 2019 including a Denial of Service (DOS) Vulnerability, CVE-2019–13449, and an Information Disclosure (Webcam), CVE-2019–13450.
Leitschuh attempted to contact Zoom several times offering both a “quick fix” solution 90-day public disclosure deadline, Leitschuh said in a Medium post.
The other vulnerability allows any webpage to DOS a Mac by repeatedly joining a user to an invalid call. This vulnerability leverages a Zoom feature where users can just send anyone a meeting link.
Leitschuh also discovered that any user who has ever installed the Zoom client and then uninstalled it still has a localhost web server on their machine that will re-install the Zoom client without requiring any user interaction on your behalf besides visiting a webpage.
Zoom addressed Leitschuh’s concerns of the webcam vulnerability in a July 8 public response although it downplayed its severity adding it will give users more control over their video settings.
“Of note, because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately,” Zoom said of the researcher's findings. “Also of note, we have no indication that this has ever happened.”
On July 9 Zoom patched the application by removing the local web server entirely and has a planned release for July 12 that will address the video on by default issue.