portrait picture

TIMO ZIMMERMANN

balancing software engineering & infosec

Zoom, web servers and silent updates

posted on Sunday 14th of July 2019 in ,

Just in case you have not caught the news: Zoom, a video conferencing solution, decided to put a web server on your system which let people remotely dial you into a call, video enabled. Now the ordinary user might think “that’s bad, let me uninstall Zoom”, and they would be right. But there is a catch! Zoom does not uninstall the web server when you uninstall the application. But do not worry, this is not a bug, it is a feature!

After some push back Zoom decided this actually is a big deal and pushed a patch which removes the web server. Well, if you happen to still have Zoom installed, otherwise it will just sit there. Apple decided to jump in and push a silent update – no user interaction required – to remove the web server.

What can we learn from this story?

Well, first of all: Do not use Zoom.

If you are using it, start evaluating alternatives. Not because they messed up, this happens to all. But because they simply disregarded a significant vulnerability, basically told us they do not care about the term “uninstall” doing what a user would expect – hey, it is a feature, right? – and forced third party action to keep users safe. This is simply unacceptable and shows a total lack of understanding when it comes to security.

We all knew that Apple can push silent updates, but I think we will see some discussions around OS ownership once again now that it is in the press. How much control should Apple have over your system without asking or notifying you about it? I am still okay with silent updates – for the vast majority of users this is the exactly the right solution to keep malware and things like Zoom in check. Some day this might change when the first questionable “business decision” is the reason for a silent update, this will be the day the narrative changes – in the end Apple is a business and businesses change leadership, which brings in new and different ideas. I would still hope for a very prominent notification in the form of “$x installed to do $y”.

Going beyond that I would imagine we will see some more similar news in future – I do not believe other video conferencing solutions are actually doing a lot better with all the little helpers, plugins and other crapware they force you to install.

One thing that often comes up in discussions around this incident is what users can do as of today to prevent things like this from happening in future. This is actually a tricky question. I would assume not all people effected by this chose to use Zoom, they were told to by their organisation.

If you have to (or want to) use Zoom or similar: Use a browser without plugins or local applications. Many tools are usable in a modern browser without the need for plugins. Some hide additional features like screen sharing behind a plugin, which many participants in a meeting likely will never need. Prefer plugins over dedicated applications you have to install. I would also suggest evaluating mobile applications – they are often feature complete, do not spin up the fans of your system, work quite well and do not force you to install anything on your workstation.

Lastly: Act. This incident should be enough reason for companies to reevaluate their choice of video conferencing software. Not because they had a vulnerability, again: this happens. But the disregard of it and the blatant ignorance they showed. In a business environment you often discuss critical information – do you really want to trust software and a company that handles security incidents this way?