July 9, 2019
Summary
A vulnerability has been publicly disclosed in the Mac version of Zoom that allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. [1]
Impact
This vulnerability can be used to record video from a user's webcam and in Zoom version <= 4.4.1 an additional vulnerability allows an attacker to cause the computer to become unusable until rebooted. Additionally, an attacker can use the vulnerability to re-install zoom, even if it has been previously uninstalled [1][3][4]
Vulnerable
- Zoom for Mac <= v4.4.4
Recommendations
- A patch is scheduled to be released tonight July 9, 2019. This should be applied as soon as possible. [2] Note: To ensure Zoom is updated, select Zoom > Check for Updates from the menu bar
- Configure zoom to never automatically enable video and audio when joining a meeting
- Consider using a physical cover for your computers' webcam