Security researchers have publicly disclosed a serious zero-day vulnerability for the Zoom video conferencing app on macs. According to the researchers, this vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.
Boris Cipot, Senior Security Engineer at Synopsys:
“All software has the potential to be vulnerable, and we can’t expect a company that provides proprietary software to be able to fix vulnerabilities immediately. The good thing is that once researchers disclose a vulnerability, they usually try to also offer a mitigation procedure or give you possible ways to mitigate the issue until a fix has been found. Users should monitor the software they’re using (operating systems, applications and their extensions), patch them when needed and mitigate any vulnerabilities disclosed. Nobody else will do it for you.”
Lamar Bailey, Senior Director of Security at Tripwire:
“This is a good example of why you should never overlook physical security. The little adhesive camera covers available by the dozens at every computer conference or for a couple dollars on Amazon are a much better solution that relying on software to do the right thing. We install so many apps these days it is hard to keep up with the permissions they require and what they turn on by default on upgrades and reinstalls. A physical barrier is far superior.
The same holds true for all assets everything should have the least common privilege. If a system does not need access to the internet then it should be blocked and any unrequired services should be disabled. If you can airgap parts of the network then do so. IoT devices should be segregated on different segments or vlans whenever possible. The more access a system or network has the more susceptible it is to breach.”
Eoin Keary, CEO and Co-founder at Edgescan:
“A vulnerability in any software is unsurprising and can be fixed with a patch prior to disclosure if the vendor addresses the issue in a timely manner. This does not appear to be the case, as the first meeting with the researcher about how the vulnerability would be patched occurred only 18 days before the end of the 90-day public disclosure deadline.
What’s unfortunate, invasive and a violation of trust is when the software seems “ uninstalled” but really isn’t. This is a breach of transparency and exposes individuals who believe they don’t have the software installed to attacks. Persisting a webserver on a user’s machine whilst giving the impression it’s uninstalled is akin to a malicious threat actor. Its underhanded and breaches trust boundaries. A very poor decision by the folks at Zoom.”