Video conferencing service Zoom, feeling the pressure from heavy media coverage of a security flaw in their Mac client that allows access to a user’s webcam, has released a fix for the issue.
In an announcement on Zoom’s official blog, the company says the emergency security patch removes a local web server the company uses to bypass a Safari 12 protection feature. The patch also allows users to completely uninstall the app.
The July 9 patch to the Zoom app on Mac devices detailed below is now live. You may see a pop-up in Zoom to update your client, download it at zoom.us/download, or check for updates by opening your Zoom app window, clicking zoom.us in the top left corner of your screen, and then clicking Check for Updates.
Zoom released the patch, despite an earlier claim on Tuesday that both actions would be difficult to implement.
Security researcher Jonathan Leitschuh earlier today disclosed a serious zero-day vulnerability in the Zoom video conferencing app for the Mac that can allow a website to hijack the webcam on a Mac.
In a post on Medium, Leitschuh showed how simply visiting a malicious website allows the site to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission. In addition, the vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
If a user has ever installed the Zoom client and then uninstalled it, the Mac still has a localhost web server that will re-install the Zoom client, without requiring any user interaction besides visiting a webpage.