Zoom has pushed out an emergency patch to kill the exploit for the local Web server installed by its Mac app in a surprise U-turn. The company had earlier called it “a legitimate solution to a poor user experience problem,” after a researcher pointed out how it could be used to by an attacker to forcibly join a Mac user to a Zoom call with video camera activated. The company has also revealed that it will be releasing an updated Zoom version this weekend, which will save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Until now, the Zoom users had to select their video preference for every single call.
Following a major public outcry over security researcher Jonathan Leitschuh’s findings, the company announced the change in its stance in an updated blog post. As per the latest update, the July 9 patch to the Zoom app on Mac is now live. The update can be found on the company website or by using Check for Updates option by clicking on zoom.us in the top left corner of Zoom app. The patch will remove the local Web server.
“Initially, we did not see the Web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,” Zoom said in a statement. “But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.”
The company will also be releasing the updated version of the Zoom app of Mac to fix the video on by default ‘feature’ that was one of the reasons how an attacker could get an unsuspecting Zoom for Mac user on video. The updated Zoom version will be released on July 12 for all platforms and it will save video preference from the first Zoom meeting for all future meetings. The users, however, will have the option in the settings to change the preference.
In an update to his original Medium post, Leitschuh is now claiming that the vulnerability that plagued Zoom for Mac is also present in Ringcentral.
“As far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their Web conference system is a white labelled Zoom system,” Leitschuh wrote.