MANILA, Philippines – The makers of video conferencing program Zoom on Tuesday, July 9, released a patch to address a vulnerability in its Mac version which could have forced users into a Zoom video call – with the camera on – without the user allowing it.
The issue is compounded by Zoom installing a web server on a Mac that would download and reinstall Zoom without needing a user's interaction aside from visiting a webpage. The vulnerability also allowed a webpage to keep a Mac from functioning properly through denial of service by repeatedly joining a user to an invalid call.
The vulnerability was discovered by Jonathan Leitschuh back in March, and was disclosed on July 9 as Zoom's Chief Information Officer Richard Farley originally wrote the company "decided not to change the application functionality" and instead save a user's preferences as a sort of stopgap solution.
In an interview with The Verge, Farley also explained why they reversed course.
Farley said, "Ultimately, it’s based on based on the feedback of the people that have been following this and contributing to the discussion. Our original position was that installing this [web server] process in order to enable users to join the meeting without having to do these extra clicks – we believe that was the right decision. And it was [at] the request of some of our customers."
"But we also recognize and respect the view of others that say they don’t want to have an extra process installed on their local machine. So that’s why we made the decision to remove that component – despite the fact that it’s going to require an extra click from Safari."
[Update] The July 9 patch to the Zoom app on Mac devices detailed earlier on our blog is now live. Details on the various fixes contained within it are explained, as well as how to update the Zoom software. See blog post here: https://t.co/56yDgoZf1U
— Zoom (@zoom_us) July 9, 2019
Users can download the patch now by going to zoom.us/download, or by using the Check for Updates function of the Zoom application. – Rappler.com