Zoom zero-day vulnerability: Answers to the questions you should be asking
The Zoom vulnerability for Mac users has raised a number of questions for both current and prospective Zoom customers, and rightly so.
According to security researcher Jonathan Leitschuh, the “vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” Before it was patched, this vulnerability left potentially 4 million webcams exposed.
In this post, we’ll take a closer look at Zoom’s zero-day vulnerability situation, address the questions we’ve been getting, and offer additional thoughts on steps you should take moving forward.
Has Zoom addressed the problem?
Zoom is taking steps to fix the vulnerability.
Zoom’s use of a local web server on devices allowed users to join meetings faster, but is not best practice and allowed anyone to bypass native Safari controls. Zoom rectified that, removing the local web server. Zoom also worked with Apple to push out an update to remove the vulnerable Zoom component on all Macs.
Zoom is improving its bounty program by going live with a public disclosure program. This will supplement Zoom’s current private bug bounty program.
Users can now uninstall Zoom manually by clicking the “Uninstall Zoom” button in the menu. By choosing this option, the Zoom app and web server, as well as your saved settings, will be removed from the device. This will prevent an uninstalled Zoom app from reinstalling without your permission (one of the vulnerabilities discovered).
Like most organizations, Zoom has to weigh user experience vs. additional controls. It chose a path, something happened, and the organization addressed it. While the situation might not have been handled with full transparency initially, Zoom worked to address this vulnerability and has taken other steps to ensure the safety of its user base and regain trust.
Should existing customers continue with Zoom or look for alternative platforms?
Vulnerabilities happen – it’s part of the risk we take working with technology every day. Maybe Zoom could’ve reacted sooner or addressed the vulnerability in a more timely manner, but the way Zoom handled the issue did not indicate any kind of gross negligence or lack of due care.
Because of this, most customers shouldn’t be quick to abandon Zoom. It remains the only product to solve the laundry list of video conferencing problems, offering the best product and experience on the market.
If a company decides to rashly block any communications tool on its network without first implementing and training staff on a new tool, it would likely disrupt the business. While security is important, companies need to weigh the pros and cons of how strict a security posture they want or need with how it would change their business operations.
What should potential Zoom customers do?
Potential customers are slowing down the buying process, and rightfully so. It’s important to do your due diligence, take a deeper look at this entire situation – from the fault in the design, to how Zoom handled everything – and weigh your options. Take a measured and thoughtful response instead of making a knee-jerk reaction.
More importantly, use these issues as an opportunity to reinforce good habits in your own operations and organizational DNA.
Make sure you adhere to common security controls and practices like alerting/monitoring, DNS checking, and web and email filtering. All of this can offer additional ways to help identify and stop malware from fully activating. Understand the true impact this incident will have on your organization in order to guide an appropriate action.
Ultimately, this event likely shouldn’t be the deciding factor when considering video conferencing solutions. If you’re in the market for a video conferencing app, take your time, do your homework, and make sure you’re comfortable with your purchasing decision.
If you have further questions about the Zoom zero-day vulnerability and how it affects your organization moving forward, contact your SHI account executive.
Jeff Cobb and Elliott Foreman contributed to this post.