Mac and Windows customers with the Zoom desktop app installed were affected by the flaw. Farley told BuzzFeed News that this use case was not evaluated as a part of Zoom’s threat modeling. It is also widely used in schools (the company offers a product tailored for K–12 use). The company’s clientele includes the Centers for Disease Control and Prevention, the US Department of Homeland Security, the US Department of Energy, Nasdaq, Uber, and Delta Air Lines. While the company no longer releases customer numbers, in a 2015 press release, it boasted that 40 million individuals had participated in Zoom meetings. Millions of people use Zoom’s corporate video conferencing apps. There isn’t really a way for us to look at the logs to determine whether that was an intentional join by the user or the user was phished into joining.”
#Zoom desktop client mac update#
Zhumu has not yet issued a patch for the security flaw (the last update available for the software was released on June 17).Įarlier in the day, Zoom chief information security officer Richard Farley told BuzzFeed News that there have been no reports of the video camera access attack based on customer support records, but also admitted that “Meeting joins happen all the time. Lyons detailed a technical fix on Github. However, Lyons told BuzzFeed News that for customers who have previously uninstalled RingCentral there is no way to easily remove the hidden server. RingCentral issued an update for its Mac app (version 08.0712) that protects users by removing the hidden web server installed on computers containing the vulnerability on July 12. In a blog post updated Tuesday afternoon, Zoom said it will release a patch for the vulnerability by July 11. It left the video camera issue unaddressed. The company responded by releasing a fix for an unrelated flaw that would allow a hacker to trigger an endless loop of meeting requests. Leitschuh reported the vulnerability to Zoom in March.
On July 15, another security researcher, Karan Lyons, published a report showing that RingCentral, which licenses Zoom's technology and is used by over 350,000 businesses, as well as Zhumu - essentially the Chinese version of Zoom - are affected by the same vulnerability. Leitschuh told BuzzFeed News that the attack also affects Windows users who have opened custom URLs from Zoom on Chrome browsers. The vulnerability, which allows attackers to initiate a video-enabled call on a Mac without user consent, was first reported by software engineer Jonathan Leitschuh yesterday. Video conferencing service Zoom left millions of users exposed to a security flaw that could allow attackers easy access to its users laptop cameras and microphones.
0 kommentar(er)
