A critical zero-day vulnerability in enterprise video conferencing provider Zoom’s Mac app has highlighted the importance of regular use of webcam covers, according to cybersecurity experts.
The vulnerability, which was identified by security researcher Jonathan Leitschuh, enables malicious websites to enable the cameras of any Mac with the Zoom client installed. It also allows the Zoom client to be reinstalled without the user’s knowledge on any Mac that the app was previously installed on.
This means that not only can the vulnerability be exploited to remotely activate a user’s camera without their knowledge, but could also be used to cripple a targeted Mac through a denial of service, by repeatedly connecting the machine to an invalid call.
Zoom had issued a patch for the issue, however Leitschuh said he has identified a workaround to the fix that allows malicious actors to still take advantage of it.
On 9 July Zoom issued a further patch that fixed the issue and prevented the client from being reinstalled on machines without the user’s knowledge.
“We appreciate the hard work of the security researcher in identifying security concerns on our platform. Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,” wrote Zoom in a blog post when it issued the patch.
“But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service. In response to these concerns, here are details surrounding tonight’s planned Zoom patch and our scheduled July release this weekend.”
Zoom vulnerability a reminder of the importance of physical security
For cybersecurity researchers, the Zoom vulnerability highlights the importance of basic physical security practices, specifically the use of webcam covers.
“This is a good example of why you should never overlook physical security. The little adhesive camera covers available by the dozens at every computer conference or for a couple dollars on Amazon are a much better solution that relying on software to do the right thing,” said Lamar Bailey, senior director of security at Tripwire.
“We install so many apps these days it is hard to keep up with the permissions they require and what they turn on by default on upgrades and reinstalls. A physical barrier is far superior.”
“With the possibility of malware being able to attack a webcam at any moment without the correct service patch or up to date antivirus, it is imperative that users cover their camera up at all times when not in use,” adds Jake Moore, cybersecurity specialist at ESET.
“Whether you have installed the Zoom application or not, webcam covers are cheap and extremely effective. Failing the use of a webcam cover, blue tack or duct tape is just as effective and could help prevent attackers from viewing you and your surroundings should any malicious software get onto your computer.”
Zoom under fire for handling of vulnerability
Zoom has also attracted criticism for how it has handled the incident.
In his Medium post outlining the issue, Leitschuh criticised the company for not reacting more quickly when notified of the vulnerability, saying that the company took 10 days to confirm the vulnerability, and 18 days to hold the first meeting about how it would be patched.
This view echoed by others in the cybersecurity community.
“A vulnerability in any software is unsurprising and can be fixed with a patch prior to disclosure if the vendor addresses the issue in a timely manner,” said Eoin Keary, CEO and co-founder of edgescan.
“This does not appear to be the case, as the first meeting with the researcher about how the vulnerability would be patched occurred only 18 days before the end of the 90-day public disclosure deadline.”
Keary also expressed concern about the ability to reinstall the software without the user’s knowledge – an issue that Zoom has now fixed in a patch on 9 July.
“What’s unfortunate, invasive and a violation of trust is when the software seems ‘uninstalled’ but really isn’t. This is a breach of transparency and exposes individuals who believe they don’t have the software installed to attacks,” he said.
“Persisting a webserver on a user’s machine whilst giving the impression it’s uninstalled is akin to a malicious threat actor. It’s underhanded and breaches trust boundaries. A very poor decision by the folks at Zoom.”