Recently, a security researcher named Jonathan Leitschuh publicly disclosed a serious "zero-day vulnerability" in the video conferencing software program Zoom on Mac computers. The existence of the "zero-day vulnerability" makes any website (including malicious websites) (Inside) can forcibly connect the user to the Zoom call without the user's permission, and enable the Mac's camera. In addition, the vulnerability can allow any web page to enter DOSMac by repeatedly allowing users to join invalid calls.
Leitschuh analyzed that part of the reason for this vulnerability may be that the Zoom application installed a Web server on the Mac, thereby accepting requests from ordinary browsers that would not "out-of-bounds". Any website the user visits can interact with the Web server running on his Mac, which is very detrimental to the user's privacy and information security.
Since it is such a "pit", then I don't need to uninstall the head office, right? Sorry, you think the problem is too simple. One-click uninstallation cannot solve this problem from the root . Maybe Zoom had guessed that you would do this for a long time, so it "buried" a deeper "thunder" early. Even if the user uninstalls Zoom from the Mac, there is still a local web server on the Mac, which can reinstall the Zoom client without the user's permission. Normal users cannot directly close the web server, but need to run extra A few lines of terminal commands. Zoom explained that the only reason the localhost server exists is that Apple's Safari does not support URI handlers.
It is reported that as of 2015, Zoom has over 40 million users worldwide, of which Mac accounts for 10% of the PC market. A rough estimate is that at least 4 million Zoom users currently use Macs. In recent years, Zoom has gradually grown into the world's leading cloud video conferencing service provider, and Zoom has gradually become an essential tool for modern workplaces. Now, the existence of this vulnerability in Zoom may pose a serious information security threat to 4 million Mac users.
Zoom stated that Apple's Safari does not support URI handlers, so the company has developed a local web server (localhostWeb) to facilitate Zoom users who use Macs. A few days ago, Zoom responded to the media in a statement, “Running a local server is a legal solution to solve the poor user experience, enabling our users to join meetings seamlessly with one click. This is the main differentiating feature of our products. ."
The vulnerability was discovered 3 months ago
In fact, as early as 3 months ago, Jonathan Leitschuh discovered this vulnerability. He discovered that Zoom has a video call vulnerability that users can use to initiate a call to someone without permission. In the future, if a similar vulnerability is found, it will allow any website to implement RCE on the user's computer, which poses a major security risk for users using Zoom 4.1 or lower.
When viewing the records of the Web Developer Console, Leitschuh unexpectedly discovered that the Web server actually returned data encoded in the size of the image file. Leitschuh guessed that this was probably done deliberately by Zoom for security reasons in order to bypass cross-resource sharing (CORS) protection. The browser explicitly ignored any CORS policies for servers running on localhost.
This vulnerability exploits a very simple function of Zoom: users can send a Zoom meeting link (for example https://zoom.us/j/xxxx) to anyone, as long as the other party opens the link in the browser, their Zoom customers The terminal will automatically open and run on the local computer.
In addition, Leitschuh said, users can choose to enable conference participants' cameras when joining a call. Zoom's local web server runs as a background process, and users don't even need to "run" the Zoom application directly. If you want to activate the camera, you only need to use an iframe to embed the Zoom meeting link in the website, and then any Zoom user can immediately connect with their video. This is a potential security loophole. If someone is embedded in a malicious advertisement or used it for phishing activities, the consequences will be disastrous.
Considering to be responsible for the majority of users who use Zoom, Jonathan Leitschuh contacted Zoom shortly after discovering the vulnerability and gave the other party a 90-day public disclosure period.
During this period, Leitschuh has communicated with Zoom several times about the solution of the vulnerability. However, Zoom seems to be less active and has repeatedly argued that the severity of this vulnerability is limited because it requires "user interaction" to exploit these vulnerabilities. It was not until the 18th day before the end of the 90-day public disclosure period that the discussion meeting on how to fix the vulnerability was held for the first time. This meeting confirmed the details of the vulnerability and discussed the solution planned by Zoom.
In the remaining 18 days, Zoom used a quick fix program to disable the automatic opening of webcams on web pages, and finally fixed the vulnerability when the 90-day public disclosure deadline arrived. But this fix was not complete. On July 7, this part of the fix was "rolled back" again, and the previous vulnerabilities reappeared. The webcam can still be opened without the user's permission.
Leitschuh criticized Zoom's solution for being too "perfunctory". He believes that what the government did was to prevent the attacker from opening the user's camera, but the attacker could still insert the Zoom link on the malicious website to "force" the user who clicked the link by mistake. Join the Zoom meeting.
How can Zoom users protect themselves?
Leitschuh emphasized that all current vulnerabilities in Zoom can be exploited by criminals through the "stowaway" method and pose a serious threat to users. He firmly believes that in order to fully protect users, the local web server solution in the Zoom application Need to be deleted.
Since Zoom is not official, what should ordinary users do to protect their information security? Leitschuh provides the following solutions for users who want to fix this vulnerability by themselves:
Disable the "open webcam when joining a meeting" function in Zoom.
Or, run the following terminal command:
# For just your local account
defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# For all users on the machine
sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1To shut down the web server, run lsof -i :19421to get the PID of the process, and then execute kill -9 [process number]. Then you can delete the ~/.zoomus directory to clear the application files of the web server.
In order to prevent Zoom from restoring this server after updating, you can execute the following command in the terminal:
rm -rf ~/.zoomus
touch ~/.zoomus关于 Zoom 安全漏洞的更多信息详见:
https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5