Zoom has slow-walked a fix for a bug that allows randos to take over your Mac's camera

Zoom is an incredibly popular videoconferencing tool. In late March, security researcher Jonathan Leitschuh notified the company that its Mac software contained a ghastly vulnerability that allowed attackers to take over your camera after tricking you into clicking a malicious link. Leitschuh gave Zoom 90 days to fix the bug before going public (a common courtesy extended by security researchers when they discover dangerous bugs) then watched in dismay as the company slow-walked a response, so that when the deadline rolled around, the vulnerability was still in place.

To make things worse, Zoom's installer silently installs an insecure web-server as part of its package -- a server whose defects leave Mac users vulnerable to denial of service attacks -- and then doesn't uninstall the server when you remove the software, leaving former Zoom users vulnerable until they undertake an elaborate and complex uninstall process.

Zoom defended its partial response to the vulnerability, saying that leaving the vulnerability in place preserves its convenient "one-click to join" function, calling this its "key product differentiator." It says that if users want to choose a higher level of security, they can manually reconfigure Zoom to turn off their camera until they turn it on.

Zoom has made some back-end tweaks to make this attack harder to execute, but Leitschuh describes ways that these can be trivially bypassed. Leitschuh estimates that about 4 million systems are vulnerable.

I am a regular Zoom user and I'm aghast at this behavior, which, per Leitschuh's description, was a shitshow from start to finish. Read the rest