Zoom.logo

Analyst says Zoom web server is defenseless against remote code execution

Spread the love

For Zoom, the hits simply continue coming. The most recent is the arrival of a long-mooted remote code execution (RCE) misuse that is said to be harboured in the controversial local web server which had been installed on Macs to avoid an extra click for clients.

The analyst who started the debacle for Zoom, Jonathan Leitschuh, said on Twitter on Friday that a RCE currently existed for it.

“That @zoom_us daemon (hidden web server) is now known to have a Remote Code Execution Vulnerability!” he wrote.

“Mac Admins: make sure Zoom is up to date or that daemon is removed!

“Specifically, you are vulnerable if you’ve uninstalled the Zoom application from your computer without killing the ZoomOpener process and then deleting ~/.zoomus directory.”

The exploit is set to be handled the CVE-2019-13567 label.

One twitter client showed off the exploit in action.

On Thursday, Apple revealed a quiet update that killed off Zoom utilizing its malware removal infrastructure.

Toward the beginning of the furor, Zoom defended the utilization of the web server, saying to ZDNet in an explanation that it was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator”.

The following day, Zoom said it would walk back its local web server support in a fix patch prepared for Tuesday night.

Zoom told ZDNet previously its change in course was in light of client feedback, not security concerns.

“There was never a remote code execution vulnerability identified,” the organization said two days back.

“Zoom decided to remove the web server based on feedback from the security community and our users.”

Leitschuh said toward the beginning of the week the use of the local server was a fundamental security vulnerability, and sites ought not communicate with applications in such a fashion.

“Let me start off by saying having an installed app that is running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me,” he wrote.

“Secondly, the fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me as a Security Researcher.”

Gabriel Fetterman

Disclaimer: The views, suggestions, and opinions expressed here are the sole responsibility of the experts. No Infuse News journalist was involved in the writing and production of this article.

Leave a Reply

Your email address will not be published. Required fields are marked *