Zoom Client through 4.4.4 on macOS Remote Vulnerability (CVE-2019-13450)

On This Page

Security Alerts

March 24, 2020

Windows Zero-Day Exploit: Type 1 Font Parsing Remote Code Execution Vulnerability

March 13, 2020

Patch IMMEDIATELY – Microsoft SMBv3 Compression - Wormable RCE Vulnerability - CVE-2020-0796

January 14, 2020

Patch IMMEDIATELY! - Microsoft Remote Desktop Gateway Remote Code Execution Vulnerability (CVE-2020-0610)
Patch IMMEDIATELY! - Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)

January 13, 2020

Vulnerability in Mozilla Firefox Could Allow for Arbitrary Code Execution
News Archive
July 9, 2019

Summary

A vulnerability has been publicly disclosed in the Mac version of Zoom that allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. [1]

Impact

This vulnerability can be used to record video from a user's webcam and in Zoom version <= 4.4.1 an additional vulnerability allows an attacker to cause the computer to become unusable until rebooted. Additionally, an attacker can use the vulnerability to re-install zoom, even if it has been previously uninstalled [1][3][4]

Vulnerable

  • Zoom for Mac <= v4.4.4

Recommendations

  • A patch is scheduled to be released tonight July 9, 2019. This should be applied as soon as possible. [2] Note: To ensure Zoom is updated, select Zoom > Check for Updates from the menu bar
  • Configure zoom to never automatically enable video and audio when joining a meeting
  • Consider using a physical cover for your computers' webcam

References