CVE-2019-13450: Dangerous Zero-Day Mac Zoom client
CYBER NOUVELLES

CVE-2019-13450: Dangerous Zero-Day Mac Zoom client

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, moyenne: 4.00 de 5)
Loading ...

Jonathan Leitschuh just reported “a vulnerability in the Mac Zoom Client” that allows “any malicious website to enable your camera without your permission". The issue known under CVE-2019-13450 potentially puts at risk up to 750,000 companies around the world that use Zoom to conduct day-to-day business, Leitschuh said in a Medium post.




La CVE-2019-13450 vulnerability is present even when the Mac user has uninstalled the Zoom client, making it possible for a remote attacker to activate the device’s webcam. Why is this so threatening? Because Zoom is one of the most well-known cloud-based platforms for video, audio and screen sharing. The platform is widely adopted by enterprises across the globe as it enables webinars, online courses, meetings, training, etc.

Cependant, the Zoom client app for Mac computers can allow attackers to execute remote arbitrary code. It should be noted that this attack is possible if it is chained with a separate vulnerability. The two vulnerabilities are the following:

DOS Vulnerability — Fixed in Client version 4.4.2 — CVE-2019–13449
Divulgation d'information (Webcam) — Unpatched —CVE-2019–13450

Peu dit, the issue is stemming from the click-to-join feature that has been designed to automatically activate Zoom thus making it possible for users to quickly join a video meeting using their web browser. “This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine,” the researcher explained.

As stated, the only needed action is to click on an invite link. What the researcher discovered is that the mentioned feature needs a local web server on the system on port 19421. The port receives commands via HTTPS GET and any website in the user’s browser can interact with it. This behavior is rather insecure.

How Can CVE-2019-13450 Be Exploited against Mac Users?

The only thing an attacker would have to do is create an invite link through an account on Zoom’s website and embed it on a third-party website as an image tag or via iFrame. Then the attacker would need to convince the target to visit that particular website.

What did Zoom do to secure its users? Apparemment, the company wasn’t efficient in its actions, as evident by Leitschuh’s post:

This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, seulement 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. Cependant, I was very easily able to spot and describe bypasses in their planned fix. À ce point, Zoom was left with 18 days to resolve the vulnerability. On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the ‘quick fix’ solution originally suggested.

en relation: OSX / Linker Malware Exploite connu Gatekeeper vulnérabilité

As noted by the researcher, the vulnerability is definitely a zero-day flaw, which hasn’t been fixed in the 90-day disclosure period, which is the “industry standard”. This leaves more than 4 million users of Zoom on Mac vulnerable to the serious privacy bug.

Cependant, users can still address the issue themselves by disabling the ability for Zoom to turn on the webcam when joining a meeting. There’s also a terminal command that can be used:

# For just your local account

defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1

# For all users on the machine

sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1

avatar

Milena Dimitrova

Un écrivain inspiré et gestionnaire de contenu qui a été avec SensorsTechForum pour 4 ans. Bénéficie d' « M.. Robot » et les craintes de 1984 '. Axé sur la vie privée des utilisateurs et le développement des logiciels malveillants, elle croit fermement dans un monde où la cybersécurité joue un rôle central. Si le bon sens n'a pas de sens, elle sera là pour prendre des notes. Ces notes peuvent se tourner plus tard dans les articles!

Plus de messages

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont marqués *

Délai est épuisé. S'il vous plaît recharger CAPTCHA.

Partager sur Facebook Partager
Loading ...
Partager sur Twitter Tweet
Loading ...
Partager sur Google Plus Partager
Loading ...
Partager sur Linkedin Partager
Loading ...
Partager sur Digg Partager
Partager sur Reddit Partager
Loading ...
Partager sur Stumbleupon Partager
Loading ...