We support https/SSL proxy server via port 443 for Zoom traffic. Note: This does not apply to the Zoom Phone service. Zoom automatically detects your proxy settings. In some instances, you may be prompted to enter the proxy username/password. Applies to: Sophos Home Premium (Windows and Mac) Webcam protection (available on Windows and Mac) is a Sophos Home feature that alerts you of unwanted use of your webcam. This feature is enabled by default. Mic protection (available on Mac only) is a Sophos Home feature that alerts you of unwanted use of your microphone. This feature is enabled by default.
In an embarrassing twist to the week-long saga of Zoom’s vulnerable web-conferencing app, Apple has issued a ‘silent’ update that automatically removes the software’s hidden web server from Macs.
Zoom released its own fix doing the same thing a day earlier, on 9 July 2019, but Apple remained unconvinced that this protected users who had either not updated their software or had deleted it before the company took this action.
Removing something hidden from a platform like Apple’s isn’t a good look, and to add insult to injury, according to Apple expert Patrick Wardle, the removal was carried out using the macOS Malware Removal Tool (MRT).
Zoom later said it had worked with Apple to “test” the removal update, although to some people that will sound like a face-saving statement of the obvious.
Rinse and repeat
It’s fair to say, then, that last week was not a good one for anyone working at Zoom, whose web conferencing software boasts of having more than four million users across desktop and mobile platforms, including Windows (some of whose users are also affected).
The timeline of the vulnerabilities uncovered in Zoom, and the company’s response to it, have become rather confusing since news of the issue was made public on 8 July 2019 by researcher Jonathan Leitschuh.
Naked Security has already covered much of this in an earlier story, including some basic mitigation against it.
We’ll summarise the increasingly confusing story since that coverage by noting that the vulnerabilities have now generated three advisories:
- CVE-2019-13449 (the original denial-of service flaw),
- CVE-2019-13450 (webcam takeover, unpatched but mitigated by removing the web server described above), and
- CVE-2019-13567 (a proof-of-concept making possible Remote Code Execution).
The first and third issues should be fixed by updating to Zoom client version 4.4.2 on macOS (the software is also re-branded by RingCentral, in which case it’s version 7.0.136380.0312).
The aftermath
Applications are afflicted with security problems all the time, but the account offered by Leitschuh of his attempts to get the company’s attention when he first discovered the issue in March 2019 doesn’t read well.
First, it took him weeks to get a response before he says the company offered him a bug bounty on the condition he didn’t publicly disclose the problem.
After some toing-and-froing and the expiration of Leitschuh’s 90-day disclosure, a ‘fix’ was issued that turned out to have a workaround, at which point he made the flaws public.
Tweeted Leitschuh on 8 July 2019:
This is my #ZeroDay#PublicDisclosure of a security vulnerability impacting 4+ Million of @zoom_us's users who have the Zoom Client installed on Mac.
Zoom had 90-days + two weeks to resolve this #vulnerability and failed to do so.https://t.co/hvsoS79bos
Sophos Zoom Security
— Jonathan Leitschuh (@JLLeitschuh) July 8, 2019Zoom responded in a statement, admitting that its website “doesn’t provide clear information for reporting security concerns,” and announcing imminent plans to launch a public bug bounty program.
It also painted a less tardy picture of its response to the flaws, without fully explaining why its engineers took the arguably risky step of running a local web server with an undocumented API in the first place.
Zoom Sophos Extension
For his part, Leitschuh recommends reporting flaws via third-party bug bounty programs rather than via Zoom’s. Either way, with researchers all over its software like a rash, Zoom has a job on its hands to restore trust.