Reflections on the Zoom/Mac Security Debacle

Zoom Video Communications last week responded to a zero-day security threat, as reported on No Jitter. While that threat has been resolved, questions linger. Security vulnerabilities are common, but rare within enterprise communications. This particular issue has caused confusion and divisiveness.

 

Zero-day threats exploit previously unknown vulnerabilities. The vendors involved have essentially zero days to fix the issues. Zero-day exploits, in the wrong hands, can be malicious. There are literally armies out there working to discover them.

 

If a zero-day vulnerability is discovered by someone without malicious intent, there is a responsible way to report the issue that balances safety with developer recognition. Responsible developers privately notify the company or organization responsible for the vulnerability, and potentially work jointly toward a resolution. They provide the vendor 90 days to correct the vulnerability before publishing their discovery. In the case of the Zoom issue publicized last week, the developer attempted to notify Zoom on March 8, and started the 90-day clock on March 26 (ending on June 24).

 

It’s a blurry line between a bug and vulnerability. In order to address the ambiguity of what constitutes a risk, the National Institute of Standards and Technology created a Common Vulnerability Scoring System. This particular Zoom vulnerability rated a 5.2 out of 10. However, risk is difficult to assess as opinions differ on matters of privacy and security. The vulnerability was that a malicious Web page or ad could cause the Mac’s browser to start, or re-install and start, the Zoom client without user consent -- potentially with the camera on.

 

While the vulnerability and outcome were a surprise, they had resulted from deliberate design decisions that prioritized ease of use over other considerations. Zoom intended for its app to update automatically, and seamlessly start after clicking on a conference link. Unfortunately, it did a bit more.

 

Joining a meeting with the camera (and microphone) on does make sense to me, but only if the user actively started or joined a conference. Also, Zoom violated an unwritten rule that software app removal should remove all components. Uninstalling Zoom not only left a component behind, but one that could re-install Zoom without the user’s knowledge or consent. These vulnerabilities existed on every Mac that currently has or had loaded the Zoom client.

 

Zoom was quick to point out that to its knowledge, this vulnerability is theoretical. That’s not really a defense. Malicious actors wouldn’t publicize their exploits. Nor can we assume that, were there any victims, that they were 1) aware of subject to the exploit and 2) were willing to publicize it.

 

After last week’s public disclosure, on July 8, Zoom acted swiftly and responsibly. Zoom released a patch on July 9. Additionally, Zoom communicated its progress with customers and the public including a live interactive session with CEO Eric Yuan, who responded to security questions.

 

With the Zoom vulnerability causing widespread confusion, many competitors, including BlueJeans, Cisco, Highfive, and Lifesize, posted statements on their security postures. To be clear, however, only Zoom and RingCentral, which uses the Zoom video software, were impacted by the vulnerability. RingCentral didn’t post a statement.

 

While Zoom moved quickly once the researcher published his report, things appear to have moved more slowly during the 90-day notification period. The developer implied that Zoom didn’t respond appropriately, questioned the risk, and offered incomplete workarounds. Zoom has denied the researcher’s claims, but we know that the vulnerability was still there after 90 days. The researcher also claimed that Zoom offered payment to avoid public disclosure.

 

At the heart of this vulnerability was a Web server. The Mac client consists of two components, the Zoom app and a related Web server that gets created during the installation. The local Web server was intended to simplify the user experience. It redirects the conference Web address from the browser to the application. Getting a browser to defer to a local application is natural on mobile, reasonable on Windows, but difficult on a Mac.

 

For most of its history, video conferencing has simply been too complicated. Every app has its settings in a different place and five minutes easily pass while users find and adjust settings, devices, and preferences. Eliminating the dreaded five-minute delay has been the unifying march of the video industry over the past several years.

 

The Web server effectively enables click-to-join functionality -- a major breakthrough in video conferencing usability. Without the Web server, it might be click-to-click-to-join, which is less trivial than it sounds. Zoom isn’t the only vendor to implement this helper approach. However, it made a mistake by allowing an undocumented API to do more than redirect the meeting to the client -- it also could re-install the app. Also, Zoom never addressed removal of the Web server. We tend to have higher expectations for enterprise-grade software.

 

In addition to ease of use, Zoom is working to create a similar experience across clients. That’s tricky because the app developers don’t generally control the operating systems and browsers. MacOS is more restrictive, so Zoom had to initiate extra steps on the Mac client.

 

Zoom released a patch that removed the offending Web server on the Mac. The user experience is largely unchanged; however, Safari users now have an extra click. The impact a few years ago would have been much more significant, so in a sense the Web server is a legacy component that outlived its usefulness. The most remarkable aspect of this story came July 10, when Apple also removed Zoom’s Web server. This type of single-app response from Apple is extremely rare, and very curious.

 

The irony of this whole situation is that Zoom is using a Web server to run its app when the Web browser could just do the whole thing anyway. I understand how we got here, but question why we remain. It’s taken years for a browser reality, but it did arrive and continues to get better. WebRTC has evolved and is now generally supported across browsers. WebRTC support can be found in services from BlueJeans, Cisco Webex, Google, Highfive, LifeSize, Microsoft Teams, and more. Google and Highfive don’t even offer a traditional desktop client.

 

There’s more to WebRTC than just a browser. Its broad adoption and open source undergoes rigorous testing. Seeing zero-day vulnerabilities is less likely with WebRTC than commercial software. WebRTC also leverages ongoing browser improvements, including performance, security, and encryption. The browser, as a universal client, means fewer apps to maintain and update, and also offers a consistent experience across devices and operating systems.

 

Visual communications is one of the hottest topics in enterprise communications -- and for good reason. As I described here, we’re living in a visual-first world. Video is now central to the enterprise collaboration suites from Cisco, Google, Microsoft, and Zoom.

 

As video adoption and usage increases, we need to escalate security -- even over ease of use. It was reasonable to favor ease of use over security when video systems were less popular and more complex. But we’ve come a long way -- as have the risks. Video, like other services, is transitioning from premises-based to cloud-delivered, and with that security concerns become critical.

 

We want conference participants to be comfortable discussing whatever is on their minds. This requires a comprehensive approach to security. While I support camera-on by default, it must be user-initiated. Encryption should also be on by default, and this is another area that Zoom users should review.

 

As we move more toward software delivered as a service, our providers become more than suppliers -- they become partners. Things move quickly in a hyper-connected world, so the best practice of carefully evaluating software before updating is obsolete. Not only are software updates more frequent and incremental, but the risk of waiting is high. We have to trust our providers to operate responsibly, and if or when they don’t that trust can be irreparably damaged. But that’s OK, the cloud also makes it easier than ever to change providers.