A patch will address the potential for snooping and flooding attacks.
Zoom is acting quickly on the security flaw that let intruders hijack Mac users’ webcams. The video conferencing firm is releasing a patch on July 9th (that’s today, if you’re reading in time) that removes access to the local web server behind the vulnerability. It’ll also let you manually uninstall Zoom and remove all traces of the app so that there’s no chance of an exploit later on. Another update, due for the weekend of July 12th, will also ensure that rookies who choose “always turn off my video” will automatically have their preferences honored in those situations where a meeting host would normally require that video switches on.
The company had previously defended its earlier decisions. The web server only responded to requests from the local computer, Zoom said. It argued that this was more convenient than having to confirm launching the Zoom client every time you wanted to get into a meeting. It also fixed a denial-of-service bug in May, although it didn’t require an update as this was deemed a “low-risk vulnerability.”
This won’t be a huge issue unless you’re regularly using Macs for work-related video conversations, but it promises to be a relief for the corporate crowd. It also illustrates the sheer amount of pressure to be transparent and quick about addressing security holes in the modern tech world. Researcher Jonathan Leitschuh, who discovered the flaw, noted that Zoom’s newfound willingness to patch out the web service represented an “about face” — it went from rationalizing its existing strategy to planning a fix in a matter of hours.