What to do now
The fix, thanks to Zoom changing its stance, appears to be as simple as accepting Zoom updates as they arrive. In an update to Zoom's big blog post about the flaw, the company stated a patch coming tonight (July 9) at or before 3 a.m. EST/midnight PST will solve things. Users will be prompted to update the app and that once the update is finished, "the local web server will be completely removed on that device."
The update will also supposedly improve the uninstall procedure. Zoom's post states "We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server."
We look forward to seeing if Jonathan Leitschuh and other security researchers think Zoom's doing a thorough and proper job.
To safeguard your Mac, open Settings for Zoom — click Zoom in the menu bar, then click Settings — and open the Video section. Then check the box next to "Turn off my video when joining a meeting."
In his post, Leitschuh also shared code for use in the Terminal. Those instructions get a bit complicated and are best for the super-tech savvy users who would prefer it. Those tips are made to eradicate the web server that Zoom creates on the Mac.
How it works
Want to see it for yourself?
If you've ever had Zoom on your machine, you can see this for yourself.
Search Leitschuh's blog post for the phrase "zoom_vulnerability_poc/" — as that's the link to his proof of concept, which launches a Zoom call. The first is an audio-only version; the second link, which includes 'iframe' in the URL, starts a call with video active.
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZypic.twitter.com/arOE6DbQaf
— Matt Haughey (@mathowie) July 9, 2019
This article originally appeared on Tom's Guide.