Zoom said that it had "no indication" that any of the millions of people who use its software had ever fallen victim to the software flaw, and said that it would be "readily apparent" if anyone had access to the camera because the video application is created to be the top window on a user's computer screen.
Earlier this week, a US-based security researcher named Jonathan Leitschuh had publicly disclosed a major vulnerability in the Zoom video conferencing software for Apple's Mac computers which could make any website start a video-enabled call by hacking the webcam of the system.
"This re-install 'feature" continues to work to this day". An issue in the product's architecture involving a localhost web server means a third party could potentially join a videoconferencing call without permission.
By Wednesday, that differentiator was reduced, as the company announced in a highly-updated blog post that it would walk back back its local web server support in a patch prepared for Tuesday night. Now, according to a report by TechCrunch, Apple has pushed out an update silently to the macOS which removes the Zoom web server.
The security researcher found that Zoom's video streaming settings launch automatically on Macs when users join a call.Читайте также: ROK raps Japan's export curb at WTO
The company addressed the issue on Tuesday afternoon in a statement on its website, where it explained the patch that will fix the problem. It also allows users to manually uninstall Zoom using a menu option in the client software.
'Once the update is complete, the local web server will be completely removed on that device'. Zoom was informed of the exploit but said that it did not plan to remove the feature because it was a "legitimate solution" that other service providers have used as well. "The first actual meeting about how the vulnerability would be patched occurred on 11 June 2019, only 18 days before the end of the 90-day public disclosure deadline".
"What's unfortunate, invasive and a violation of trust is when the software seems ' uninstalled' but really isn't", he added.
'Persisting a webserver on a user's machine whilst giving the impression it's uninstalled is akin to a malicious threat actor.При любом использовании материалов сайта и дочерних проектов, гиперссылка на обязательна.
«» 2007 - 2019 Copyright.
Автоматизированное извлечение информации сайта запрещено.
Код для вставки в блог