The backlash from a public security incident can be swift and brutal, a lesson that executives at Zoom are learning this week as the result of the disclosure of a weird, nasty bug in the company’s video conferencing client for Macs. The company’s CEO said Wednesday that Zoom “we misjudged the situation and did not respond quickly enough” to the vulnerability report and is taking measures to fix that, including establishing a public vulnerability disclosure program.
The problem began in earnest on July 8 when security researcher Jonathan Leitschuh published a long piece describing both the weakness in the Zoom client for macOS and the disclosure and remediation process he went through with the Zoom security team over the preceding three months. Neither description was especially pretty. Leitschuh found a pair of vulnerabilities in the client, the most serious of which could allow an attacker to force a victim to join a Zoom call with video turned on. More importantly, he also discovered that the Zoom client installs a local web server that remains on the machine even after the user uninstalls the client.
The web server is used for a variety of things, but it’s at the heart of the flaw Leitschuh found and the revelation that it stays behind after the client is gone angered users and mystified security researchers. After Leitschuh’s disclosure, Zoom officials said they didn’t have a simple way to help users delete both the client and the web server. On July 9, the company issued an update that included a one-click method for removing both the client and the local web server.
On Wednesday, Apple made its own move, pushing an update that took the web server off Macs.
“Apple issued an update to ensure that the Zoom web server is removed from all Macs, even if the user did not update their Zoom app or deleted it before we issued our July 9 patch. Zoom worked with Apple to test this update, which requires no user interaction,” Zoom CEO Eric Yuan said in a post Wednesday.
That’s a start, but Yuan said that the company also is working on a second update, to be released this weekend, that will give users more control of the video settings in the client. One of the issues that Leitschuh found was that an attacker could create a meeting and opt to have other people join with video turned on. The next update will address that.
“Our current escalation process clearly wasn’t good enough in this instance.”
“With this release, first-time users who select “Always turn off my video” will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings,” Yuan said.
Beyond the vulnerability itself, Leitschuh also detailed his back-and-forth with the Zoom security team after his initial disclosure to the company in March. The Zoom team confirmed the bug and offered Leitschuh a payment as part of its private bug bounty program, but he declined as the terms prevented him from disclosing the details even after the bug was patched. Leitschuh had discussions with the company about the bug and potential fixes for several months and eventually, after 90 days, Zoom issued a fix, which turned out to be incomplete. A regression issue soon after caused even more problems and Leitschuh ended up disclosing the details on July 8.
Yuan acknowledged on Wednesday that Zoom hadn’t responded properly to Leitschuh’s disclosure. The company plans to start a public disclosure program and is changing its internal processes, as well.
“Our current escalation process clearly wasn’t good enough in this instance. We have taken steps to improve our process for receiving, escalating, and closing the loop on all future security-related concerns,” Yuan said.