Apple has pushed a silent update to Mac users that removes a hidden web server from Zoom users’ machines.
The Zoom web- and video-conferencing service has come under scrutiny for its handling of a zero-day bug (CVE-2019–13450) found by researcher Jonathan Leitschuh, which would allow an attacker to hijack a user’s web camera without their permission. However, the researcher also flagged a concerning persistence feature in the service: Even if users uninstalled the Zoom client, the service maintained a web-facing connection on computers via a hidden localhost web server.
“If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage,” explained Leitschuh, adding that this deepens the security risk from the vulnerability.
Apple’s update – automatically pushed to users without any need for action on their part – removes the hidden Zoom web server. It’s a move that the Cupertino, Calif.-based giant usually reserves for addressing malware.
“We’re happy to have worked with Apple on testing this update,” Zoom said in a media statement. “We appreciate our users’ patience as we continue to work through addressing their concerns.”
Apple’s update is somewhat superfluous (though automatic): Zoom itself released an emergency fix earlier this week that also removes the web server, and the platform now allows users to manually uninstall Zoom completely. The update is the result of media attention in the wake of Leitschuh’s responsible public disclosure of the flaw, which highlighted Zoom’s incomplete fix for the bug and slow action on its part in working with him.
On July 12, Zoom will further update the client to address the concern around enabling video on by default. First-time users who select the “always turn off my video” pop-up box will automatically have their video preference saved, it announced.
The Zoom flaw affects about 4 million workers that use Zoom for Mac.
Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More