Apple steps in to automatically remove Zoom’s risky software from Macs
Jul 12 2019
Chromium and Mozilla also found the vulnerability, but have not found a way to close it.
Many users may not even be aware the problem exists as they have already uninstalled the app. This, however, is another story - the company is pushing an update to fix a problem with an above-board developer that has over four million users. In engaging this researcher over the past 90 days, we misjudged the situation and did not respond quickly enough - and that's on us. Additionally, you can also disable the option to automatically turn on your camera when you join a Zoom video call.
This has become possible due to the installation of local servers Zoom in macOS.
The company took matters into its own hands by issuing a quiet update on Mac.
If you uninstall Zoom, that web server persists and can reinstall Zoom without your guidance.
"On Monday, Zoom found itself in hot waters after Security Researcher Jonathan Leitschuch revealed that any website "[could] forcibly join a user to a Zoom call, with their video camera activated, without the user's permission".
The issue stems from the fact that Zoom installs and runs a web server on Macs which allows it to accept requests that regular browsers won't. "This re-install "feature" continues to work to this day". The Apple representative said the company took this action to protect users against dangers posed by the webserver.
Zoom independently confirmed the vulnerability.
Only hours after media accounts began going live, Zoom surprisingly reversed its stance and pushed out an immediate patch to fix the security issue followed by an official statement.
According to Zoom, updating will 'remove the local web server entirely'.
Leitschuh said the use of the local server was a fundamental security vulnerability, and sites should not communicate with applications in such a fashion.
'Once the update is complete, the local web server will be completely removed on that device'. Zoom also added that it had no indication suggesting that its users had fallen victim to this privacy issue so far.
While Zoom has now committed to releasing a patch for the vulnerability by July 11, the company has said that it has no plans to change the behaviour of running a phantom web server on users' computers, explicitly stating that it is "not a security concern".