Security researcher Karan Lyons (Karan Lyons) reported a serious vulnerability in the services for video conferencing RingCentral (used 350 000) and Zhumu (in fact, the Chinese version of Zoom). Thanks to her, the attackers were able to access cameras and microphones laptops.
Both services RingCentral and Zhumu use the licensed technology Zoom, which was previously discovered vulnerability allows without the permission of the enable web camera and connect the user to the conference from Zoom. As in the case of Zoom, RingCentral installed on the computer service, which tapped the calls and was not removed during a regular uninstallation of the application.
July 9, Zoom has released an update of the software that partially fixes the bug. July 10, Apple released an automatic update for Mac computers that delete the hidden web server Zoom. Lyons suggested that a similar issue may occur in other applications that use Zoom, so I published a fix for all three programs on GitHub.
RingCentral has released an update for macOS 7.0.151508.0712 correcting the deficiency. Zhumu has not yet released a patch to fix the vulnerability.
Read more •••