Zoom Vulnerability Message to IT Pros (CCSP)
Three Zoom security issues are addressed and resolved: video for Windows and Mac users, and two Mac desktop client vulnerabilties.
The following message went out to UIUC CCSP on Wednesday, 7/10/2019:
Software Services was notified on Tuesday 7/9/19 of a disclosed security issue (view the complete report here) with the Zoom desktop and mobile client. You can review Zoom's official response and most recent updates on the Zoom Blog.
In summary, the article outlines 3 areas of concern:
LOCAL DENIAL OF SERVICE VULNERABILITY (MAC ONLY)
"Someone could potentially target a Mac user who already had the Zoom client installed with an endless loop of meeting join requests, thereby causing the targeted machine to lock up."
Zoom has no indication that this vulnerability was ever exploited, and they released a fix for it in May 2019.
AUTO JOIN VIA LOCAL WEB SERVER (MAC ONLY)
"Zoom installs a local web server on Mac devices running the Zoom client. This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting. The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting."
Zoom implemented a patch the evening of July 9, 2019, to remove the local web server entirely once the Zoom client has been updated. The update also allows users to manually uninstall the Zoom client completely from their device. Mac users will be prompted to update their client and should perform this step and verify they are using the latest version of the Zoom client.
If you have installed the Zoom desktop client or mobile application, please review this article on how to check the version you are running and update your Zoom client with the latest release.