CVE-2019-13450: Dangerous Zero-Day in Mac Zoom Client

CVE-2019-13450: Dangerous Zero-Day in Mac Zoom Client

1 Star2 Stars3 Stars4 Stars5 Stars (1 stemmer, gennemsnit: 4.00 ud af 5)
Loading ...

Jonathan Leitschuh just reported “a vulnerability in the Mac Zoom Client” that allows “any malicious website to enable your camera without your permission". The issue known under CVE-2019-13450 potentially puts at risk up to 750,000 companies around the world that use Zoom to conduct day-to-day business, Leitschuh said in a Medium post.

Den CVE-2019-13450 vulnerability is present even when the Mac user has uninstalled the Zoom client, making it possible for a remote attacker to activate the device’s webcam. Why is this so threatening? Because Zoom is one of the most well-known cloud-based platforms for video, audio and screen sharing. The platform is widely adopted by enterprises across the globe as it enables webinars, online courses, meetings, training, etc.

Men, the Zoom client app for Mac computers can allow attackers to execute remote arbitrary code. It should be noted that this attack is possible if it is chained with a separate vulnerability. The two vulnerabilities are the following:

DOS Vulnerability — Fixed in Client version 4.4.2 — CVE-2019–13449
Information Disclosure (Webcam) — Unpatched —CVE-2019–13450

Kort sagt, the issue is stemming from the click-to-join feature that has been designed to automatically activate Zoom thus making it possible for users to quickly join a video meeting using their web browser. “This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example and when they open that link in their browser their Zoom client is magically opened on their local machine,” the researcher explained.

As stated, the only needed action is to click on an invite link. What the researcher discovered is that the mentioned feature needs a local web server on the system on havn 19421. The port receives commands via HTTPS GET and any website in the user’s browser can interact with it. This behavior is rather insecure.

How Can CVE-2019-13450 Be Exploited against Mac Users?

The only thing an attacker would have to do is create an invite link through an account on Zoom’s website and embed it on a third-party website as an image tag or via iFrame. Then the attacker would need to convince the target to visit that particular website.

What did Zoom do to secure its users? Tilsyneladende, the company wasn’t efficient in its actions, as evident by Leitschuh’s post:

This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, kun 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. Men, I was very easily able to spot and describe bypasses in their planned fix. På dette tidspunkt, Zoom was left with 18 days to resolve the vulnerability. On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the ‘quick fix’ solution originally suggested.

Relaterede: OSX / Linker Malware Udnytter kendt Gatekeeper Sårbarhed

As noted by the researcher, the vulnerability is definitely a zero-day flaw, which hasn’t been fixed in the 90-day disclosure period, which is the “industry standard”. This leaves more than 4 million users of Zoom on Mac vulnerable to the serious privacy bug.

Men, users can still address the issue themselves by disabling the ability for Zoom to turn on the webcam when joining a meeting. There’s also a terminal command that can be used:

# For just your local account

defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1

# For all users on the machine

sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1


Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum for 4 år. Nyder ’Mr. Robot’og frygt’1984’. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler!

Flere indlæg

Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...