Zoom Client through 4.4.4 on macOS Remote Vulnerability (CVE-2019-13450)

July 9, 2019

Summary

A vulnerability has been publicly disclosed in the Mac version of Zoom that allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. [1]

Impact

This vulnerability can be used to record video from a user's webcam and in Zoom version <= 4.4.1 an additional vulnerability allows an attacker to cause the computer to become unusable until rebooted. Additionally, an attacker can use the vulnerability to re-install zoom, even if it has been previously uninstalled [1][3][4]

Vulnerable

  • Zoom for Mac <= v4.4.4

Recommendations

  • A patch is scheduled to be released tonight July 9, 2019. This should be applied as soon as possible. [2] Note: To ensure Zoom is updated, select Zoom > Check for Updates from the menu bar
  • Configure zoom to never automatically enable video and audio when joining a meeting
  • Consider using a physical cover for your computers' webcam

References