Apple removes Zoom web server in stealth Mac update

in macOS edited July 2019
Apple on Wednesday pushed out an automatic update for Mac users that removes a local host server created by video conferencing app Zoom, protecting users against the threat of unwanted webcam access.


According to Apple, the silent update shields all Zoom users from a recently discovered web server vulnerability without impacting the operation of the app itself, reports TechCrunch.

Previous versions of Zoom installed a local host web server to bypass security protocols deployed as part of Safari 12.

In a bid to protect users from malicious actors, Apple's web browser requires interaction with a dialogue box when a website or link attempts to launch an outside app. Seeking a streamlined one-click-to-open user experience, Zoom sought to bypass the Safari feature and quietly built a local web server into its Mac client package.

A flaw in Zoom's implementation left the app, and subsequently all Mac owners who installed the software, open to attack.

Security researcher Jonathan Leitschuh this week detailed the vulnerability in a zero-day disclosure. Leitschuh found that embedding a simple launch action or an iframe into a website automatically dropped a user into a Zoom meeting with their Mac's webcam enabled. Because the flaw lies in a web server and is not siloed to the app, the attack is effective not only in Safari, but Chrome and Firefox as well.

Further, the web server would remain on a host Mac even after Zoom was uninstalled and was capable of re-installing the the client app without user interaction.

Following Leitschuh's report, and intense scrutiny from media outlets, Zoom decided to patch the flaw in an emergency update on Tuesday. As part of the update, Zoom promised to remove the local host server and make available an option to completely uninstall all remnants of the app without going through Terminal.

Apple opted to remove the server through its own tools on Wednesday. Zoom was apparently notified of the Mac update, according to the report.

"We're happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today," Zoom spokeswoman Priscilla McCarthy told TechCrunch. "We appreciate our users' patience as we continue to work through addressing their concerns."

Apple typically reserves silent, automated Mac operating system updates to resolve severe malware issues or otherwise enhance user security. The mechanism is rarely deployed to target a specific third-party app, but the company informed TechCrunch that this particular fix was initiated to protect users from Zoom's exposed web server.


  • Reply 1 of 10
    magman1979magman1979 Posts: 1,222member
    Too late, your credibility is ruined, and damage is done.

    Your app went into the trash bin the moment I finished reading the first few paragraphs of the disclosure, and was even happier I trashed it after finishing the article!

    You're dead to me now.
  • Reply 2 of 10
    mobirdmobird Posts: 618member
    It's not nice to fool with mother Apple...
  • Reply 3 of 10
    mike54mike54 Posts: 465member
    I have no sympathy for Zoom. You get one chance at this and they failed. They knew they were doing wrong. Do not support them.
    Individuals and companies should be deleting Zoom and find an alternative.
    edited July 2019 AppleExposedp-dogmac_doganantksundaram
  • Reply 4 of 10
    Yep, we black listed zoom at work. so well done zoom. ;)
  • Reply 5 of 10
    jdb8167jdb8167 Posts: 620member
    Now we can understand the quick turnaround from, "it's no big deal" to "we'll fix it immediately." Zoom was about to lose the PR battle and look foolish with Apple pushing out this update whether Zoom agreed or not. Smart PR I guess to give in to the inevitable and pretend it was your idea.
    edited July 2019 chasmmac_dogcaladaniananantksundaramdysamoria
  • Reply 6 of 10
    MplsPMplsP Posts: 3,247member
    Thank you Apple - another example of why I trust Apple more than most other companies. 
  • Reply 7 of 10
    Rayz2016Rayz2016 Posts: 6,957member
    For all the know-nothings who’re about to pile in to say that Apple shouldn’t have allowed the installation of a web server in the first place:

    Developers need to install web servers for … y’know … development. 

    This is all on Zoom. 

    Way to crash your own credibility in an afternoon. 

    edited July 2019 fastasleep
  • Reply 8 of 10
    Too late, your credibility is ruined, and damage is done.

    Your app went into the trash bin the moment I finished reading the first few paragraphs of the disclosure, and was even happier I trashed it after finishing the article!

    You're dead to me now.

    Well, it was Apple that had the fix out, not Zoom. So this is actually to Apple's credit that they acted upon this so quickly.

    Zoom, like you said, has ruined its own credibility. They were too busy making excuses.

    edited July 2019 ajl
  • Reply 9 of 10
    So which versions of macOS received the silent fix?  How far back has Apple gone to purge this POS software?
Sign In or Register to comment.