After all the drama over Zoom’s use of a hidden web server on the Mac, Apple itself decided to step in, Tech Crunch reports. It releases a silent update – meaning your Mac will get it without any interaction from you – to remove the web server, which was designed to save Safari users an extra click, from any Mac on which the Zoom software is installed.
Although Zoom itself issued an emergency patch yesterday to remove this web server, Apple apparently fears that enough users won’t update or be aware of the controversy in the first place that it releases its own patch. This makes perfect sense not only because many users may not open Zoom for a while, but also because many of them have uninstalled the app. Before Zoom’s emergency update, uninstalling the app left the web server on your computer – so Zoom would have no way to uninstall it with an updated app. This means that the only reasonable and easy way for these people to get this patch would be for Apple to provide it. Apple believes this software update should not affect Zoom’s ability to work on Mac.
Basically, Apple stepped in because it knew a ton of people were still going to be vulnerable after uninstalling Zoom, but either didn’t know about the vulnerability or didn’t want to install the updated version of Zoom.
— Zack Whittaker (@zackwhitaker) July 10, 2019
Apple also apparently warned Zoom that this was happening:
Zoom spokeswoman Priscilla McCarthy said Tech Crunch“We are pleased to have worked with Apple to test this update. We hope the web server issue will be resolved today. We appreciate our users’ patience as we continue to work to address their concerns. »
This whole saga started earlier this week when security researcher Jonathan Leitschuh published his concerns about a serious Zoom vulnerability that could allow any website to automatically open a Zoom conference call on your computer with the webcam on. Even if you uninstalled Zoom, the web server persisted on your machine and might even reinstall the app automatically.
Within a day, Zoom first defended the use of a web server that enabled the feature, then bowed to the pressure and updated its app to remove it. Talk to The edge Zoom’s chief information security officer, Richard Farley, yesterday explained that the company doesn’t really believe there’s anything wrong with its software, but wanted to reassure anyone who wasn’t. disagree :
Our initial position was that the installation of this [web server] process to allow users to join the meeting without having to make those extra clicks – we think it was the right decision. And it was [at] requested by some of our customers. But we also recognize and respect the views of others who say they don’t want an additional process installed on their local machine. That’s why we made the decision to remove this component.
As we wrote yesterday, all of the attention on the tactic of using a web server to do extra work on your computer has focused on Zoom, but it wasn’t the only one doing it. A competing video conferencing service, BlueJeans, said it also used similar software, but felt it was more secure. Sean Simmons, senior director of product management for the company, told us:
Although BlueJeans uses a launch service […] We have mitigated this vulnerability by only allowing bluejeans.com websites to launch the BlueJeans desktop application in a meeting. Second, an uninstall of BlueJeans on Mac or Windows completely removes the app and launcher service described in the article above. We continue to review all points in the Medium post and expect to have another update shortly.
The story, pardon the pun, may very well zoom out beyond this web conferencing software and apply to other apps for Mac. We have contacted Apple about this issue and will report back if we hear more about it.