The chaos and panic that the disclosure of privacy vulnerability in the highly popular and widely-used Zoom video conferencing software created earlier this week is not over yet.
As suspected, it turns out that the core issue—a locally installed web server by the software—was not just allowing any website to turn on your device webcam, but also could allow hackers to take complete control over your Apple’s Mac computer remotely.
Reportedly, the cloud-based Zoom meeting platform for macOS has also been found vulnerable to another severe flaw (CVE-2019-13567) that could allow remote attackers to execute arbitrary code on a targeted system just by convincing users into visiting an innocent looking web-page.
As explained in our previous report by Swati Khandelwal, the Zoom conferencing app contained a critical vulnerability (CVE-2019-13450) that resides in the way its click-to-join feature is implemented, which automatically turns on users’ webcam when they visit an invite link.
Both vulnerabilities stem from a controversial local web server—runs on port 19421—that Zoom client installs on users’ computers to offer the click-to-join feature.
There were primarily two issues that security researcher Jonathan Leitschuh highlighted—firstly, local server “insecurely” receives commands over HTTP, allowing any website to interact with it, and secondly, it doesn’t get uninstalled when users remove the Zoom client from their systems, leaving them vulnerable forever.
Immediately after receiving a high criticism from all sides, the company released an emergency update for its software to remove the vulnerable web server (ZoomOpener daemon) implementation altogether.
However, the software update could not protect former customers who are not using the software anymore but have the vulnerable web-server still activated on their systems unknowingly.
Worryingly, according to an advisory published by National Vulnerability Database (NVD), the newly discovered RCE flaw also works against users who have already uninstalled the conferencing software, but its web server is still activated and listens on port 19421.
Meanwhile, to help its users, Apple surprisingly yesterday stepped-in and silently pushed an update for all macOS users that automatically removes the Zoom web server without requiring any user interaction, doesn’t matter if you’re still using the conferencing software or not.
The technical details of the new remote code execution flaw in Zoom client for macOS are not yet available, but Jonathan and other researchers confirmed, and demonstrated the existence of a working proof-of-concept exploit, as shown in the video above.
We will share more details on this new RCE flaw with our readers through The Hacker News official Twitter account, as soon as they are available.
To protect against both vulnerabilities, Zoom users are highly recommended to install the latest system updates, as well as immediately upgrade to Zoom client version 4.4.53932.0709 or simply uninstall the software and only use the browser version of the meeting client.