Zoom Vulnerability Message to IT Pros (CCSP)

Three Zoom security issues are addressed and resolved: video for Windows and Mac users, and two Mac desktop client vulnerabilties.

The following message went out to UIUC CCSP on Wednesday, 7/10/2019:

Software Services was notified on Tuesday 7/9/19 of a disclosed security issue (view the complete report here) with the Zoom desktop and mobile client. You can review Zoom's official response and most recent updates on the Zoom Blog.

In summary, the article outlines 3 areas of concern:

VIDEO ON VULNERABILITY (WINDOWS AND MAC)


All new accounts in the Illinois Zoom Portal are configured with video OFF by default when joining meetings. However, customers have the option of changing this setting. We recommend reviewing this setting to verify that video sharing is turned off when joining meetings and please review this link for detailed instructions on how to change this option in the Zoom desktop application.


 LOCAL DENIAL OF SERVICE VULNERABILITY (MAC ONLY)

"Someone could potentially target a Mac user who already had the Zoom client installed with an endless loop of meeting join requests, thereby causing the targeted machine to lock up."

Zoom has no indication that this vulnerability was ever exploited, and they released a fix for it in May 2019.


AUTO JOIN VIA LOCAL WEB SERVER (MAC ONLY)

"Zoom installs a local web server on Mac devices running the Zoom client. This is a workaround to an architecture change introduced in Safari 12 that requires a user to accept launching Zoom before every meeting. The local web server automatically accepts the peripheral access on behalf of the user to avoid this extra click before joining a meeting."

Zoom implemented a patch the evening of July 9, 2019, to remove the local web server entirely once the Zoom client has been updated. The update also allows users to manually uninstall the Zoom client completely from their device. Mac users will be prompted to update their client and should perform this step and verify they are using the latest version of the Zoom client.

If you have installed the Zoom desktop client or mobile application, please review this article on how to check the version you are running and update your Zoom client with the latest release.


All current versions of Zoom are available for download from the Zoom download center and please email any questions to webstore@illinois.edu.





Keywords:Zoom Security Vulnerability Video Mac   Doc ID:93068
Owner:Phil N.Group:University of Illinois Technology Services
Created:2019-07-10 17:18 CDTUpdated:2019-07-12 10:29 CDT
Sites:University of Illinois Technology Services
Feedback:  0   0