Menu
Apr 02, 2020 ‘Zoom is malware’: why experts worry about the video conferencing platform. And a bug discovered this week would enable hackers to take over a Zoom user’s Mac. Words With Friends. This is the Smartest Zoom Hack We've Seen Yet. Shift + A on your Mac.). Ingenious ways to appear “present” in a Zoom chat I’ve ever seen—especially if the chat is on the larger side.
What you need to know
Forza 7 pc free download. An ex-NSA hacker has found yet another critical security flaw in Zoom, this time in two bugs for Mac.
According to TechCrunch, an ex-NSA hacker has found two bugs within the macOS version of Zoom:
Wardle's first bug piggybacks off a previous finding. Zoom uses a 'shady' technique — one that's also used by Mac malware — to install the Mac app without user interaction. Wardle found that a local attacker with low-level user privileges can inject the Zoom installer with malicious code to obtain the highest level of user privileges, known as 'root.'
Those root-level user privileges mean the attacker can access the underlying macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without the user noticing.
![]()
This is a reference to Zoom's installation protocol, which was described as 'very shady' by experts. Cricket 11 game download for mobile. From that report:
Ever wondered how the @zoom_us macOS installer does it's job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). https://ameblo.jp/coaflamidri1982/entry-12630768188.html.
This is not strictly malicious but very shady and definitely leaves a bitter aftertaste. The application is installed without the user giving his final consent and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware.
Well, turns out that it is malicious because it can be used by an attacker to inject the installer with malicious code, obtaining 'the highest level of user privileges'.
A second bug, (yes, there's two, plus all the other ones) involves your webcam and microphone: New desktop mac keyboard shortcut.
The second bug exploits a flaw in how Zoom handles the webcam and microphone on Macs. Zoom, like any app that needs the webcam and microphone, first requires consent from the user. But Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has. Once Wardle tricked Zoom into loading his malicious code, the code will 'automatically inherit' any or all of Zoom's access rights, he said — and that includes Zoom's access to the webcam and microphone.
In fairness, as these have all been revealed by this blog post, giving Zoom almost no time to address them. However, Zoom appears to be a total dumpster fire when it comes to privacy and security. It has also been revealed that despite claims, Zoom's calls are not end-to-end encrpyted, and that its 'company director' feature pooled thousands of strangers, leaking personal data.
We may earn a commission for purchases using our links. Learn more.
exposure notification
National COVID-19 server to use Apple and Google's API, hosted by Microsoft
The Association of Public Health Laboratories has announced it is working with Apple, Google, and Microsoft to launch a national server that will securely store COVID-19 exposure notification data.
Update 7:23pm ET: As this post was being reported, Zoom developers reversed their previous position and issued an update that changes the contested behavior.
'Initially, we did not see the Web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,' Zoom's Jonathan Farley wrote. 'But in hearing the outcry from our users in the past 24 hours, we have decided to make the updates to our service.'
The update makes the following changes:
Zoom developers also added new details about a previously mentioned update, which is now scheduled for Friday. It will
What follows is the story as it ran earlier:
One of the easiest ways to tell if someone is a practitioner of computer security is to look at their laptop. If the webcam is covered by tape or a sticker, they likely are. A recently published report on the Zoom conferencing application for Macs underscores why this practice makes sense.
Researcher Jonathan Leitschuh reported on Monday that, in certain cases, websites can automatically cause visitors to join calls with their cameras turned on. It's not hard to imagine this being a problem for people in their bathrobes or in the middle of a sensitive business conference since a malicious link would give no warning in advance it will open Zoom and broadcast whatever is in view of the camera.
Zoom Hacked May 2020
Zoom developers almost certainly intended the behavior to make it easier to use the Web conferencing app. But unless users have properly tweaked their settings in advance, Lietschuh's findings show how miscreants can turn this ease-of-use against unwitting users. A proof-of-concept exploit is available here, but reader be warned: depending on your Zoom settings, your webcam may soon be transmitting whatever it sees to perfect strangers.
'This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission,' Leitschuh wrote. Free windows program for mac.
Leitschuh is mostly correct there. Clicking the link will automatically open Zoom and join a call. But as mentioned earlier, video is collected only when Zoom is configured to begin conferences with a camera turned on. Some media reports and social media commentators have said this behavior allows websites to 'hijack' a Mac webcam. I'd argue that's a stretch since (1) it's fairly obvious that Zoom is opening and broadcasting whatever the camera sees and (2) it's easy to immediately leave the conference or simply turn off the camera.
What's more, preventing the video grab involves a one-time click to a box in the Zoom preferences that keeps video turned off when joining a video. But user beware: even when this setting is on, sites still can force Macs to open Zoom and join a conference.
That's not to say the threat Leitschuh disclosed is mere handwaving. It's not. But it underscores the near-impossible balancing act developers must strike. Make a feature too hard to use and people will move to a competing product. Make it too easy and attackers may abuse it to do bad things the developer never imagined.
In this case, Zoom developers should have warned that the ability to automatically join a conference with video turned on was a powerful feature that could be used to compromise users' privacy. Instead, the developers left it up to users to decide with no up-front guidance. (By contrast, audio is automatically turned off when joining a Zoom conference.) In other words, Zoom developers made this automatic webcam joining way too easy. In retrospect, thanks to Leitschuh's post, that's easy to see.
In a response to Leitschuh's disclosure Zoom's Richard Farley said the company will roll out an update this month that will 'apply and save the user's video preference from their first Zoom meeting to all future Zoom meetings.' Farley didn't say if Zoom will provide the guidance many users will need to make an informed choice.
An always-on webserver
Leitschuh's research uncovered another behavior by Zoom for Mac that is also unsettling to security-conscious people. The app installs a webserver that accepts queries from other devices connected to the same local network. This server continues to run even when a Mac user uninstalls Zoom. Leitschuh showed how this webserver can be abused by people on the same network to force Macs to reinstall the app.
This clearly isn't good. While the webserver is only accessible to devices on the same network, that still exposes people using untrusted networks. And if hackers were ever to come across a code-execution vulnerability in the webserver, the potential for abuse is even higher. Farley said Zoom introduced the webserver as a way to work around a change introduced in Safari 12 that requires users confirm with a click each time they want to start the Zoom app prior to joining a meeting. https://ameblo.jp/verngevamud1972/entry-12631151756.html.
'We feel that this is a legitimate solution to a poor user-experience problem, enabling our users to have faster, one-click-to-join meetings,' Farley wrote. 'We are not alone among video-conferencing providers in implementing this solution.'
Independent security researcher Kevin Beaumont said on Twitter that the BlueJeans video conferencing app for Mac also opens a webserver. There is no evidence that the behavior Leitschuh reported is found in Zoom for Windows.
Convenience is the enemy of security
As is the case with the auto-on webcam when joining meetings, Zoom's implementation of a webserver is a convenience that comes at the potential cost of security. Hitman absolution mac free download windows 7. Neither behavior represents a critical vulnerability, but they do suggest Zoom developers could do more to lock down the Mac version of their app, particularly for users who may have less awareness of security issues.
And this is where precautions such as tape over a webcam come in. Users can never be sure developers have adequately safeguarded their apps against hacks or abuse, so the responsibility falls on end users to compensate. Other ways to protect against abuses of Zoom or other Web conference software is to use an app such as Little Snitch and configure it to give the conferencing software Internet access for only limited amounts of time. Another self-help protection is to configure macOS so that Zoom only has access to the webcam at specific times when it's needed.
Zoom Hack Macbook
Yes, these additional protections can be a bother. But they also underscore the fundamental tension between convenience and security.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2020
Categories |