Apple Pushes Silent macOS Update to Remove 'Secret' Zoom Web Server

Macos Terminal Screen Security

Credit Lewis Ngugi

In a move that Daring Fireball's John Gruber justifiably describes as "criminal", it seems that Zoom leaves risky pieces of itself behind, in the form of a local web server, even after a user would have every reason to believe they've uninstalled it.

Apple said it has put a silent macOS update that removes the undocumented webserver that was installed by the Zoom conferencing app for Mac.

After all of the drama over Zoom's use of a hidden web server on Macs, Apple itself has chose to step in, TechCrunch reports.

"There was never a remote code execution vulnerability identified".

"The little adhesive camera covers available by the dozens at every computer conference or for a couple dollars on Amazon are a much better solution that relying on software to do the right thing", said Bailey.

Apple has also produced an update of its own with nukes the security hole.

Meeting joins happen all the time.

Earlier this week, a security researcher published a blog highlighting concerns with aspects of the Zoom platform. It also comes just three months after Zoom became a public company. "A very poor decision by the folks at Zoom".

If you uninstall Zoom, that web server persists and can reinstall Zoom without your guidance. So if someone clicked on a meeting link, Safari would trigger a warning that Zoom is about to be launched.

According to Zoom, updating will 'remove the local web server entirely'.

But on Tuesday, it reversed its decision after the outcries against it intensified.

But there was a there was thorny problem remaining.

'Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client, ' Zoom says.

But that lingering web server appears to pose a clear and present risk to systems.

"An organisation of this profile and with such a large user base should have been more proactive in protecting their users from attack". This hidden web server automatically answers the calls without users' permission.

Another expert said this example is a prime reason why people should tape over, or use camera covers, on their laptop webcams. "But a lot of these things are designed for their main objective like conferencing and not for things like security".

Leitschuh said the use of the local server was a fundamental security vulnerability, and sites should not communicate with applications in such a fashion. We've reached out to Apple regarding that question and will report if we hear more on that.

"We misjudged the situation and did not respond quickly enough - and that's on us", Yuan wrote.

"Our goal is a frictionless video experience, but clearly we've made some mistakes in that process". It removed the local web server (crucial for the exploit) entirely on Mac devices.

Zoom has announced that it is planning to set up a public bug bounty initiative that will pay researchers in the future to find flaws.

Latest News