The apology Zoom should have made

AFTER INITIALLY SAYING that it wouldn’t issue a full fix for a vulnerability disclosed on Monday, the video conferencing service Zoom has changed course. The company now tells WIRED that it will push a patch on Tuesday to alter Zoom’s functionality and eliminate the bug. You should update Zoom now.

The Zoom controversy stems from the service’s slippery video streaming settings that launch instantly on Macs when users join a call. Late Monday evening, the company published an extensive statement defending the practice and addressing other bugs found by security researcher Jonathan Leitschuh. But it declined to fully address the concern that an attacker could distribute a malicious Zoom call URL, trick users into clicking it, and then open a channel to their lives when their webcam automatically activated. Zoom originally said that it would adjust the settings by which a user chooses to launch video by default with every call.

Wired https://www.wired.com/story/zoom-flaw-web-server-fix/

What the CEO should have said:

Over the last few years we’ve been trying a ton of stuff here at Zoom, and one of those things was running a paired down web server on your machine to help us in three areas:

1) To stream line the process of connecting to calls. A major point of friction starting conferences on the internet has been getting the call software installed and connected to the right meeting. Our mission is to solve this problem and so we’ve tried many out of the box ideas to see if we can make it simple and easy.

2) To make our product more sticky. We added the ability to automatically re-install the zoom client and connect you to a call if you had removed it, helping us get those great reviews talking about how Zoom feels like magic to use and is so much easier than other conferencing solutions.

3) Our enterprise customers have a ton of requirements for getting Zoom running and making it easier for their staff to use. If it looks like we’re doing odd things there’s probably a huge enterprise deal or use case that the weird thing helps with.

We realise we’re way over the line with this solution. We’re sorry. While it may be appropriate from some enterprise customers we never should have rolled it out to all of you. We’re going to fix it.

— Zoom CEO

What the CEO did say:

To Our Valued Customers:

Earlier this week, a security researcher published a blog highlighting concerns with aspects of the Zoom platform. In engaging this researcher over the past 90 days, we misjudged the situation and did not respond quickly enough — and that’s on us.  We take full ownership and we’ve learned a great deal. What I can tell you is that we take user security incredibly seriously and we are wholeheartedly committed to doing right by our users.

We are making a number of changes to ensure that we do better. Here is what we’ve already done and plan to do:

Tuesday, July 9

Zoom issued an update to our Mac app with the following:

Removed the local web server via a prompted update 

Allowed users to manually uninstall Zoom. This new option to the Zoom menu bar allowed users to manually uninstall the Zoom client, including the local web server. A new menu option says, “Uninstall Zoom.” By clicking that button, Zoom’s app and web server are removed from the user’s device along with the user’s saved settings

Wednesday, July 10

Apple issued an update to ensure that the Zoom web server is removed from all Macs, even if the user did not update their Zoom app or deleted it before we issued our July 9 patch. Zoom worked with Apple to test this update, which requires no user interaction. 

Weekend of July 13

We have a planned release for the weekend of July 13 that will address video on by default. With this release, first-time users who select “Always turn off my video” will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. (Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings.)

Ongoing 

Improving bug bounty program: Zoom will go live with its public vulnerability disclosure program in the next few weeks, supplementing our existing private bug bounty program. In the meantime, we encourage anyone with security concerns to reach out at support.zoom.us 

Our current escalation process clearly wasn’t good enough in this instance. We have taken steps to improve our process for receiving, escalating, and closing the loop on all future security-related concerns

Zoom is a platform built around and for our customers and maintaining your trust is paramount. We hope through these ongoing efforts we will regain and rebuild any lost confidence, and build a stronger service for our customers. 

Eric S. Yuan

Zoom Founder and CEO

Zoom Blog https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/

Did he make any attempt to explain why they were doing what they did? Or why it was bad? No. Enjoy the down hill slide Eric.

Zip zip!