Fwd: [k8s security] [URGENT] Security Advisory for Zoom on macOS

122 views
Skip to first unread message

Brandon Philips

unread,
Jul 9, 2019, 4:04:30 PM7/9/19
to kubernetes-sec...@googlegroups.com
This isn't a Kubernetes issue but given the wide use of Zoom in the Kubernetes community I want to ensure as many people see this Zoom issue as possible.

Thank You,

Brandon on behalf of the Kubernetes Security Committee

---------- Forwarded message ---------
From: Christoph Blecker <cble...@gmail.com>
Date: Tue, Jul 9, 2019 at 9:37 AM
Subject: [k8s security] [URGENT] Security Advisory for Zoom on macOS
To: <kuberne...@googlegroups.com>, <kubernetes...@googlegroups.com>, <stee...@k8s.io>, <secu...@k8s.io>, <ih...@cncf.io>, <canis...@linuxfoundation.org>


TL;DR: If you run Zoom on macOS, you need to review this entire e-mail to understand potential security risks to your system and privacy.


Please feel free to forward this advisory as necessary.


-----


It was publicly announced yesterday by a security researcher that there are vulnerabilities and insecure default settings in the Zoom web conferencing client for macOS.


1. Persistent local web server

A process called the “ZoomOpener” is installed with Zoom, and runs as a persistent local web server on your system. This web server allows you to join meetings when you click a zoom link (e.g. https: //zoom.us/j/123456789).


This process had some flaws that were fixed, but you can still be forced to join a meeting without confirmation by a malicious website that embeds an iframe. 


This web server persists if you uninstall the Zoom client, and will re-download, install, and launch the Zoom client if you visit a zoom.us link like the above example.


The only current workaround is disabling and removing this web server, followed by clearing your browser cache.


A complete set of commands to run is available here: https://gist.github.com/cblecker/8af229ff143512529544a945b4e43f72



2. Auto-joining calls with video/audio enabled

By default, the Zoom client permitted the host of a meeting to force participants to join a meeting with their video/audio enabled immediately. This, paired with the previous security flaw meant a malicious user could via a maliciously crafted webpage, force a user to join a zoom meeting with video and audio instantly enabled.


To ensure that your Zoom client doesn’t auto join calls with audio/video enabled, please ensure the following two checkboxes are checked, and that you are running the latest Zoom client:








Contributor Experience continues to monitor the situation and will provide more information if and when it becomes available. 


Thank you for your assistance in keeping our community safe and secure.


- Christoph (on behalf of Kubernetes SIG Contributor Experience)

--
You received this message because you are subscribed to the Google Groups "security" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security+u...@kubernetes.io.
To view this discussion on the web visit https://groups.google.com/a/kubernetes.io/d/msgid/security/CADx2oGE2kyLOxp%3Di-eQ_0Ye8Da7zJe3KKOWgjETE6bPdNPt86g%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages