Zoom Vulnerability
Department Knowledge Base (KB) Article
Subject: Zoom Vulnerability
-
Zoom Vulnerability Message to IT Pros (CCSP)
- Three Zoom security issues are addressed and resolved: video for Windows and Mac users, and two Mac desktop client vulnerabilities.
-
The following message went out :
-
Software Services was notified on Tuesday 7/9/20 of a disclosed security issue (view the complete report here) with the Zoom desktop and mobile client. You can review Zoom's official response and most recent updates on the Zoom Blog.
- In summary, the article outlines 3 areas of concern:
-
VIDEO ON VULNERABILITY (WINDOWS AND MAC)
-
"An attacker can trick a target Zoom user into clicking a web link to the attacker's Zoom meeting ID URL, either in an email message or on an internet web server. The target user could unknowingly auto join the attacker's Zoom meeting. If the user has not explicitly configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user's video camera."
All new accounts in the Edifecs Zoom Portal are configured with video OFF by default when joining meetings. However, associates have the option of changing this setting. We recommend reviewing this setting to verify that video sharing is turned off when joining meetings and please review this link for detailed instructions on how to change this option in the Zoom desktop application.
- LOCAL DENIAL OF SERVICE VULNERABILITY (MAC ONLY)
-
"Someone could potentially target a Mac user who already had the Zoom client installed with an endless loop of meeting join requests, thereby causing the targeted machine to lock up."
- Zoom has no indication that this vulnerability was ever exploited, and they released a fix for it in May 2020.
- AUTO JOIN VIA LOCAL WEB SERVER (MAC ONLY)
- "Zoom installs a local web server on Mac devices running the Zoom client. This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting. The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting."
- Zoom implemented a patch the evening of July 9, 2020, to remove the local web server entirely once the Zoom client has been updated. The update also allows users to manually uninstall the Zoom client completely from their device. Mac users will be prompted to update their client and should perform this step and verify they are using the latest version of the Zoom client.
-
If you have installed the Zoom desktop client or mobile application, please review this article on how to check the version you are running and update your Zoom client with the latest release.