recentpopularlog in


« earlier   
Daring Fireball: Apple Is Sending Out Another Silent Update To Fix the Webcam Flaw in Zoom’s Partner Apps
...So here’s an interesting question. I’ve been using the phrase “nonconsensual technology” to describe Zoom’s invisible web server that remained installed and running even after you deleted the Zoom app. But when Apple first issued a silent, emergency system update to remove Zoom’s software, a few DF readers emailed or tweeted to ask: Isn’t this “nonconsensual technology” too?
Clearly, the answer sounds like yes at first. Users get no indication of the update, and “requires no user action” makes it sound like it’s mandatory. But there is a setting to control this, allowing Mac users to disable the automatic installation of such updates. On MacOS 10.14 Mojave, it’s in System Prefs → Software Update → Advanced (screenshot); on 10.13 High Sierra, it’s in System Prefs → App Store (screenshot). In both versions, the checkbox is labeled “Install system data files and security updates”, and resides at the bottom of the section that controls what gets installed automatically.
This option is enabled by default — even if you choose to install regular system updates manually — which is why the vast majority of Mac users are getting these “silent” updates automatically. But if you disable this option, even these silent updates won’t be installed automatically. I confirmed this with an Apple spokesperson, who emphasized that Apple only issues such updates “extremely judiciously”. Any pending security updates will be installed the next time you manually update software.
I think Apple has struck a nearly perfect balance here, between doing what’s right for most users (installing these rare emergency updates automatically) and doing what’s right for power users who really do want to control when updates — even essential ones — are installed. I also think Apple is doing the right thing by going to the press and explaining when they issue such updates. If I could tweak anything, it would be to have these updates show up in the regular list of pending software updates if you have “Install system data files and security updates” turned off.
daring_fireball  apple  mac  update  security  privacy  zoom  apps  webcam  bug  hack 
4 days ago by rgl7194
RingCentral And Zhumu Customers Were Also Affected By The Vulnerability Allowing Hackers To Hijack Your Mac's Camera
Both RingCentral and Zhumu license Zoom’s technology. Lyons explained, “If a lettuce producer has an E. coli outbreak, everyone who resells that lettuce under myriad brands in stores, or uses that lettuce in their sandwiches now also has vulnerable customers.”
ringcentral  voice2  zoom  security  ovum  Apple 
6 days ago by yorksranter
Zoom out - All this
“[…] And since there’s only one matching process, we could reduce the command even further:

“kill -9 $(lsof -ti :19421)
“The $(command) construct says ‘run this command and put its output here.’”
leancrew  2019  drdrang  zoom  shell  terminal 
6 days ago by handcoding
Zoom Video Conferencing for macOS Also Vulnerable to Critical RCE Flaw
The chaos and panic that the disclosure of privacy vulnerability in the highly popular and widely-used Zoom video conferencing software created earlier this week is not over yet.
As suspected, it turns out that the core issue—a locally installed web server by the software—was not just allowing any website to turn on your device webcam, but also could allow hackers to take complete control over your Apple's Mac computer remotely.
Reportedly, the cloud-based Zoom meeting platform for macOS has also been found vulnerable to another severe flaw (CVE-2019-13567) that could allow remote attackers to execute arbitrary code on a targeted system just by convincing users into visiting an innocent looking web-page.
As explained in our previous report by Swati Khandelwal, the Zoom conferencing app contained a critical vulnerability (CVE-2019-13450) that resides in the way its click-to-join feature is implemented, which automatically turns on users' webcam when they visit an invite link.
Both vulnerabilities stem from a controversial local web server—runs on port 19421—that Zoom client installs on users' computers to offer the click-to-join feature.
apps  bug  hack  mac  privacy  security  webcam  zoom 
9 days ago by rgl7194
Daring Fireball: Apple Has Pushed a Silent MacOS Update to Remove Zoom's Hidden Web Server
Zack Whittaker, reporting for TechCrunch:
Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.
The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.
Apple said the update does not require any user interaction and is deployed automatically.
That’s the end of that chapter. I forgot to mention the other day that the worst part about Zoom’s local web server is that if you deleted the Zoom app, the web server would silently reinstall the Zoom app if a website you visited requested it. That phrase I quoted yesterday, “nonconsensual technology”, really sums it up. I’ll go out on a limb and say Apple is none too pleased about this. I can’t think of a better example to explain why we — which is to say honest Mac users and developers — are stuck with ever-tightening sandbox restrictions on the Mac.
apple  apps  bug  hack  mac  privacy  security  update  webcam  zoom  daring_fireball 
11 days ago by rgl7194
Apple has pushed a silent Mac update to remove hidden Zoom web server • TechCrunch
Zack Whittaker:
<p>Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.

The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.

Apple said the update does not require any user interaction and is deployed automatically.

The video conferencing giant took flack from users following a public vulnerability disclosure on Monday by Jonathan Leitschuh, in which he described how “any website [could] forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” The undocumented web server remained installed even if a user uninstalled Zoom. Leitschuh said this allowed Zoom to reinstall the app without requiring any user interaction…

…The update will now prompt users if they want to open the app, whereas before it would open automatically.</p>
apple  mac  zoom  hacking  vulnerability 
11 days ago by charlesarthur
Serious Zoom security flaw could let websites hijack Mac cameras - The Verge, Jul 2019
"Today, security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conferencing app on Macs. He has demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. That’s possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn’t. In fact, if you uninstall Zoom, that web server persists and can reinstall Zoom without your intervention."
TheVerge  cybersecurity  hacking  vulnerability  Zoom  Mac 
11 days ago by pierredv
Response to Video-On Concern - Zoom Blog
Setting aside the rank stupidity of the implementation, this is pretty much a textbook case of how not to respond to a security disclosure by a researcher.
Pitch-perfect: bungled response ("security guy is out, we'll let him know"), adversarial response to researcher, dissembling explanations (borderline ludicrous, frankly), bungled release, releasing a regression, tone-deaf and defensive public messaging, and advertising their commitment to hiding their security issues.
All of which is evidence that they didn't really have a response plan.

Fortunately they managed to avoid: threatening/initiating a lawsuit, typically a c/d, against the investigator and condemning the infosec community in general.
zoom  privacy  infosec  security 
11 days ago by po
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
A serious security issue in zoom (on Mac it installs a web server locally which does things like launching the zoom client). Also a very clear example of responsible disclosure by a professional.
security  zoom  via:HackerNews 
11 days ago by mcherm
Silent Mac update nukes dangerous webserver installed by Zoom | Ars Technica
Fix also requires users to confirm they want to join a Zoom conference.
Apple said it has pushed a silent macOS update that removes the undocumented webserver that was installed by the Zoom conferencing app for Mac.
The webserver accepts connections from any device connected to the same local network, a security researcher disclosed on Monday. The server continues to run even when a Mac user uninstalls Zoom. The researcher showed how the webserver can be abused by people on the same network to force Macs to reinstall the conferencing app. Zoom issued an emergency patch on Tuesday in response to blistering criticism from security researchers and end users.
Apple on Wednesday issued an update of its own, a company representative speaking on background told Ars. The update ensures the webserver is removed—even if users have uninstalled Zoom or haven’t installed Tuesday’s update. Apple delivered the silent update automatically, meaning there was no notification or action required of end users. The update was first reported by TechCrunch.
security  privacy  zoom  webcam  mac  bug  hack  apps  apple  update 
12 days ago by rgl7194

Copy this bookmark:

to read