New: July 10, 2019

Vulnerabilities in the Mac Zoom Client expose the following impacts:

  • A malicious website can enable the MacOS device camera without user permission.
  • Potential for denial-of-service at the MacOS device by repeatedly joining a user to an invalid call.
  • Lingering installation of a localhost webserver even after Zoom un-install. This webserver is used to re-install Zoom without user interaction.

 

Recommended Actions

  1. Detect and identify all Zoom and RingCentral Clients, current and past, even if uninstalled, for immediate patching.
  2. Apply the July 9 or later patch in the Zoom app. Users may see a pop-up in Zoom to update your client, download it at us/download, or check for updates by opening your Zoom app window, clicking “zoom.us” in the top left corner of your screen, and then clicking “Check for Updates”.
  3. Removing the Zoom application without patching does not eliminate the vulnerability of the localhost webserver – the device must be patched.

There is currently no ability to scan for vulnerable devices. ISEA will monitor for scan tool release.

 

Affected Versions

Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on Mac all versions.

 

References

https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13449

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13450