Reflections on the ZoomMac Security Debacle

hacker-1944688__340.jpg As we move more toward software delivered as a service, our providers become more than suppliers — they become partners. Things move quickly in a hyper-connected world, so the best practice of carefully evaluating software before updating is obsolete. Not only are software updates more frequent and incremental, but the risk of waiting is high. We have to trust our providers to operate responsibly, and if or when they don’t that trust can be irreparably damaged. But that’s OK, the cloud also makes it easier than ever to change providers. Don’t Get Ripped Off with Video Conferencing Pricing Chris Heinemann July 30, 2019 Financially, the cost of video conferencing isn’t just high, it’s unpredictable. It’s time for a different approach. Video Communication Must Improve, Even as It Hits Its Stride Michael Helmbrecht September 12, 2019 Video conferencing at work has boomed. Now we need to fully deliver on its promise. The Legacy of Video ConferencingThe irony of this whole situation is that Zoom is using a Web server to run its app when the Web browser could just do the whole thing anyway. I understand how we got here, but question why we remain. It’s taken years for a browser reality, but it did arrive and continues to get better. WebRTC has evolved and is now generally supported across browsers. WebRTC support can be found in services from BlueJeans, Cisco Webex, Google, Highfive, LifeSize, Microsoft Teams, and more. Google and Highfive don’t even offer a traditional desktop client. If a zero-day vulnerability is discovered by someone without malicious intent, there is a responsible way to report the issue that balances safety with developer recognition. Responsible developers privately notify the company or organization responsible for the vulnerability, and potentially work jointly toward a resolution. They provide the vendor 90 days to correct the vulnerability before publishing their discovery. In the case of the Zoom issue publicized last week, the developer attempted to notify Zoom on March 8, and started the 90-day clock on March 26 (ending on June 24). Zoom was quick to point out that to its knowledge, this vulnerability is theoretical. That’s not really a defense. Malicious actors wouldn’t publicize their exploits. Nor can we assume that, were there any victims, that they were 1) aware of subject to the exploit and 2) were willing to publicize it. See All in Video Collaboration & A/V » Meetings Made Easy: One Video Platform or More Beth Schultz September 09, 2019 Standardizing on a single platform or enabling platform-agnostic collaboration are two ways to go about reducing friction in the meeting room. The Web server effectively enables click-to-join functionality — a major breakthrough in video conferencing usability. Without the Web server, it might be click-to-click-to-join, which is less trivial than it sounds. Zoom isn’t the only vendor to implement this helper approach. However, it made a mistake by allowing an undocumented API to do more than redirect the meeting to the client — it also could re-install the app. Also, Zoom never addressed removal of the Web server. We tend to have higher expectations for enterprise-grade software. While Zoom moved quickly once the researcher published his report, things appear to have moved more slowly during the 90-day notification period. The developer implied that Zoom didn’t respond appropriately, questioned the risk, and offered incomplete workarounds. Zoom has denied the researcher’s claims, but we know that the vulnerability was still there after 90 days. The researcher also claimed that Zoom offered payment to avoid public disclosure. The ResponseAfter last week’s public disclosure, on July 8, Zoom acted swiftly and responsibly. Zoom released a patch on July 9. Additionally, Zoom communicated its progress with customers and the public including a live interactive session with CEO Eric Yuan, who responded to security questions. The Web at HeartAt the heart of this vulnerability was a Web server. The Mac client consists of two components, the Zoom app and a related Web server that gets created during the installation. The local Web server was intended to simplify the user experience. It redirects the conference Web address from the browser to the application. Getting a browser to defer to a local application is natural on mobile, reasonable on Windows, but difficult on a Mac. What Risk?It’s a blurry line between a bug and vulnerability. In order to address the ambiguity of what constitutes a risk, the National Institute of Standards and Technology created a Common Vulnerability Scoring System. This particular Zoom vulnerability rated a 5.2 out of 10. However, risk is difficult to assess as opinions differ on matters of privacy and security. The vulnerability was that a malicious Web page or ad could cause the Mac’s browser to start, or re-install and start, the Zoom client without user consent — potentially with the camera on. Dave Michels is a contributing editor and analyst at TalkingPointz, and host of the TalkingHeadz podcast. With the Zoom vulnerability causing widespread confusion, many competitors, including BlueJeans, Cisco, Highfive, and Lifesize, posted statements on their security postures. To be clear, however, only Zoom and RingCentral, which uses the Zoom video software, were impacted by the vulnerability. RingCentral didn’t post a statement. What’s Up in AV? 4 Trends to Watch Jimmy Vaughan August 02, 2019 A look at some of the problem-solving solutions I saw at the recent InfoComm 2019 event. In addition to ease of use, Zoom is working to create a similar experience across clients. That’s tricky because the app developers don’t generally control the operating systems and browsers. MacOS is more restrictive, so Zoom had to initiate extra steps on the Mac client. The FixZoom released a patch that removed the offending Web server on the Mac. The user experience is largely unchanged; however, Safari users now have an extra click. The impact a few years ago would have been much more significant, so in a sense the Web server is a legacy component that outlived its usefulness. The most remarkable aspect of this story came July 10, when Apple also removed Zoom’s Web server. This type of single-app response from Apple is extremely rare, and very curious. We want conference participants to be comfortable discussing whatever is on their minds. This requires a comprehensive approach to security. While I support camera-on by default, it must be user-initiated. Encryption should also be on by default, and this is another area that Zoom users should review. Log in or register to post comments For most of its history, video conferencing has simply been too complicated. Every app has its settings in a different place and five minutes easily pass while users find and adjust settings, devices, and preferences. Eliminating the dreaded five-minute delay has been the unifying march of the video industry over the past several years. Final ThoughtsVisual communications is one of the hottest topics in enterprise communications — and for good reason. As I described here, we’re living in a visual-first world. Video is now central to the enterprise collaboration suites from Cisco, Google, Microsoft, and Zoom. As video adoption and usage increases, we need to escalate security — even over ease of use. It was reasonable to favor ease of use over security when video systems were less popular and more complex. But we’ve come a long way — as have the risks. Video, like other services, is transitioning from premises-based to cloud-delivered, and with that security concerns become critical. While the vulnerability and outcome were a surprise, they had resulted from deliberate design decisions that prioritized ease of use over other considerations. Zoom intended for its app to update automatically, and seamlessly start after clicking on a conference link. Unfortunately, it did a bit more. There’s more to WebRTC than just a browser. Its broad adoption and open source undergoes rigorous testing. Seeing zero-day vulnerabilities is less likely with WebRTC than commercial software. WebRTC also leverages ongoing browser improvements, including performance, security, and encryption. The browser, as a universal client, means fewer apps to maintain and update, and also offers a consistent experience across devices and operating systems. 3 Problems Still Facing Voice Services Alexey Aylarov September 04, 2019 Interconnectivity, teleconference audio quality, and robocalling issues are still impacting voice services. Joining a meeting with the camera (and microphone) on does make sense to me, but only if the user actively started or joined a conference. Also, Zoom violated an unwritten rule that software app removal should remove all components. Uninstalling Zoom not only left a component behind, but one that could re-install Zoom without the user’s knowledge or consent. These vulnerabilities existed on every Mac that currently has or had loaded the Zoom client. Zoom Video Communications last week responded to a zero-day security threat, as reported on No Jitter. While that threat has been resolved, questions linger. Security vulnerabilities are common, but rare within enterprise communications. This particular issue has caused confusion and divisiveness. Zero-day threats exploit previously unknown vulnerabilities. The vendors involved have essentially zero days to fix the issues. Zero-day exploits, in the wrong hands, can be malicious. There are literally armies out there working to discover them. Tags:News & ViewsZoomVideo-on vulnerabilityVideo Collaboration & A/VAnalyst InsightCloud CommunicationsNews & ViewsSecurity Articles You Might Like

Leave a Reply

Your email address will not be published. Required fields are marked *