CVE-2019-13450: Dangerous Zero-Day in Mac Zoom Client

CVE-2019-13450: Dangerous Zero-Day in Mac Zoom Client

1 Star2 Stars3 Stars4 Stars5 Stars (1 Stimmen, durchschnittlich: 4.00 von 5)
Loading ...

Jonathan Leitschuh just reported “a vulnerability in the Mac Zoom Client” that allows “any malicious website to enable your camera without your permission". The issue known under CVE-2019-13450 potentially puts at risk up to 750,000 companies around the world that use Zoom to conduct day-to-day business, Leitschuh said in a Medium post.

Die CVE-2019-13450 vulnerability is present even when the Mac user has uninstalled the Zoom client, making it possible for a remote attacker to activate the device’s webcam. Why is this so threatening? Because Zoom is one of the most well-known cloud-based platforms for video, audio and screen sharing. The platform is widely adopted by enterprises across the globe as it enables webinars, online courses, meetings, training, etc.

Jedoch, the Zoom client app for Mac computers can allow attackers to execute remote arbitrary code. It should be noted that this attack is possible if it is chained with a separate vulnerability. The two vulnerabilities are the following:

DOS Vulnerability — Fixed in Client version 4.4.2 — CVE-2019–13449
Offenlegung von Informationen (Webcam) — Unpatched —CVE-2019–13450

Kurz gesagt, the issue is stemming from the click-to-join feature that has been designed to automatically activate Zoom thus making it possible for users to quickly join a video meeting using their web browser. “This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example and when they open that link in their browser their Zoom client is magically opened on their local machine,” the researcher explained.

As stated, the only needed action is to click on an invite link. What the researcher discovered is that the mentioned feature needs a local web server on the system on Port 19421. The port receives commands via HTTPS GET and any website in the user’s browser can interact with it. This behavior is rather insecure.

How Can CVE-2019-13450 Be Exploited against Mac Users?

The only thing an attacker would have to do is create an invite link through an account on Zoom’s website and embed it on a third-party website as an image tag or via iFrame. Then the attacker would need to convince the target to visit that particular website.

What did Zoom do to secure its users? Offenbar, the company wasn’t efficient in its actions, as evident by Leitschuh’s post:

This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, nur 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. Jedoch, I was very easily able to spot and describe bypasses in their planned fix. An dieser Stelle, Zoom was left with 18 days to resolve the vulnerability. On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the ‘quick fix’ solution originally suggested.

verbunden: OSX / Linkers Malware Nutzt bekannt Torwächter Vulnerability

As noted by the researcher, the vulnerability is definitely a zero-day flaw, which hasn’t been fixed in the 90-day disclosure period, which is the “industry standard”. This leaves more than 4 million users of Zoom on Mac vulnerable to the serious privacy bug.

Jedoch, users can still address the issue themselves by disabling the ability for Zoom to turn on the webcam when joining a meeting. There’s also a terminal command that can be used:

# For just your local account

defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1

# For all users on the machine

sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1


Milena Dimitrova

Ein inspirierter Schriftsteller und Content-Manager, der mit SensorsTechForum ist seit 4 Jahre. Genießt ‚Mr. Robot‘und Ängste‚1984‘. Konzentriert sich auf die Privatsphäre der Nutzer und Malware-Entwicklung, sie die feste Überzeugung, in einer Welt, in der Cybersicherheit eine zentrale Rolle spielt. Wenn der gesunde Menschenverstand macht keinen Sinn, sie wird es sich Notizen zu machen. Diese Noten drehen können später in Artikel!

Mehr Beiträge

Schreibe einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind markiert *

Frist ist erschöpft. Bitte laden CAPTCHA.

Auf Facebook teilen Teilen
Loading ...
Empfehlen über Twitter Tweet
Loading ...
Share on Google Plus Teilen
Loading ...
Share on Linkedin Teilen
Loading ...
Empfehlen über Digg Teilen
Teilen auf Reddit Teilen
Loading ...
Empfehlen über Stumbleupon Teilen
Loading ...