In his original Medium post, Jonathan Leitschuh noted that the vulnerability, "allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission". The update will now prompt Mac users to voluntarily open the app, instead of opening it automatically as it did previously.
The story, pardon the pun, may very well zoom out beyond this particular piece of web conferencing software and apply to other apps for the Mac.
This link allows Zoom to begin a video call through their app - even if the receiver has not accepted.
This will result in killing the hidden web server off entirely, although of course it will come back if you reinstall or update the Zoom app. "This re-install "feature" continues to work to this day".
"Even for those who did not upgrade, Zoom will not use the local web server to join meetings automatically anymore as we have disabled it on our backend". "So that's why we made the decision to remove that component - despite the fact that it's going to require an extra click from Safari". Zoom issued an emergency patch on Tuesday in response to blistering criticism from security researchers and end-users. According to him, he first contacted the company about the issue in late March, warning that he would go public with the information within 90 days if it wasn't fixed. It will address the issue of video being on by default.
"We misjudged the situation and did not respond quickly enough - and that's on us", Yuan wrote.
'This is a breach of transparency and exposes individuals who believe they don't have the software installed to attacks. Persisting a webserver on a user's machine whilst giving the impression it's uninstalled is akin to a malicious threat actor. It's underhanded and breaches trust boundaries.
"We all know these are people trying to make conferencing usable, and in general, Zoom is a great product", Callas says. But it looks like that has never actually, truly been the case.
Now, it seems like Zoom has also been the victim of a severe issue with their video-conferencing software. A physical barrier is far superior'. "If a system does not need access to the internet then it should be blocked and any unrequired services should be disabled". IoT devices should be segregated on different segments or vlans whenever possible.