Zoom's zero day bug bounty write-up

Zoom's zero day bug bounty write-up ↦

By now you’ve probably heard about Zoom’s zero day bug that exposed 4+ million webcams to the bidding of nefarious hackers. Security researcher Jonathan Leitschuh shared the full background and details on InfoSec Write-ups:

This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. However…

If you use Zoom or if you’ve EVER installed Zoom, read Jonathan’s write-up and take appropriate action to update Zoom or to remove the lingering web server it leaves behind. Confirm if the server is present by running lsof -i :19421 in Terminal.

Discussion

2019-07-10T18:06:53Z ago

I launched it today and saw an update available. I installed it. lsof doesn’t show anything listening on that port, so I assume the update removes the web server component?

2019-07-10T19:21:23Z ago

I also updated Zoom today and ran lsof…nada.

2019-07-10T19:22:56Z ago

Here’s the official response from Zoom on their blog.

2019-07-11T19:14:52Z ago

Apple has pushed a silent Mac update to remove the lingering web server Zoom leaves behind ~> https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/

Apple said the update does not require any user interaction and is deployed automatically.

Also, what is this magic auto-update system Apple speaks of? Anyone else aware of that being a thing? They can just write new software to my OS??

2019-07-12T14:56:17Z ago

They can just write new software to my OS??

your OS? 😜