Apple removes Zoom web server in stealth Mac update

Posted:
in macOS edited July 10
Apple on Wednesday pushed out an automatic update for Mac users that removes a local host server created by video conferencing app Zoom, protecting users against the threat of unwanted webcam access.

Zoom


According to Apple, the silent update shields all Zoom users from a recently discovered web server vulnerability without impacting the operation of the app itself, reports TechCrunch.

Previous versions of Zoom installed a local host web server to bypass security protocols deployed as part of Safari 12.

In a bid to protect users from malicious actors, Apple's web browser requires interaction with a dialogue box when a website or link attempts to launch an outside app. Seeking a streamlined one-click-to-open user experience, Zoom sought to bypass the Safari feature and quietly built a local web server into its Mac client package.

A flaw in Zoom's implementation left the app, and subsequently all Mac owners who installed the software, open to attack.

Security researcher Jonathan Leitschuh this week detailed the vulnerability in a zero-day disclosure. Leitschuh found that embedding a simple launch action or an iframe into a website automatically dropped a user into a Zoom meeting with their Mac's webcam enabled. Because the flaw lies in a web server and is not siloed to the app, the attack is effective not only in Safari, but Chrome and Firefox as well.

Further, the web server would remain on a host Mac even after Zoom was uninstalled and was capable of re-installing the the client app without user interaction.

Following Leitschuh's report, and intense scrutiny from media outlets, Zoom decided to patch the flaw in an emergency update on Tuesday. As part of the update, Zoom promised to remove the local host server and make available an option to completely uninstall all remnants of the app without going through Terminal.

Apple opted to remove the server through its own tools on Wednesday. Zoom was apparently notified of the Mac update, according to the report.

"We're happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today," Zoom spokeswoman Priscilla McCarthy told TechCrunch. "We appreciate our users' patience as we continue to work through addressing their concerns."

Apple typically reserves silent, automated Mac operating system updates to resolve severe malware issues or otherwise enhance user security. The mechanism is rarely deployed to target a specific third-party app, but the company informed TechCrunch that this particular fix was initiated to protect users from Zoom's exposed web server.

Comments

  • Reply 1 of 10
    magman1979magman1979 Posts: 1,136member
    Too late, your credibility is ruined, and damage is done.

    Your app went into the trash bin the moment I finished reading the first few paragraphs of the disclosure, and was even happier I trashed it after finishing the article!

    You're dead to me now.
    agilealtitudemike54AppleExposedp-dogchasmmld53aajldysamoria
  • Reply 2 of 10
    mobirdmobird Posts: 228member
    It's not nice to fool with mother Apple...
    agilealtitudemike54p-doganantksundaram
  • Reply 3 of 10
    mike54mike54 Posts: 347member
    I have no sympathy for Zoom. You get one chance at this and they failed. They knew they were doing wrong. Do not support them.
    Individuals and companies should be deleting Zoom and find an alternative.
    edited July 10 AppleExposedp-dogmac_doganantksundaram
  • Reply 4 of 10
    Yep, we black listed zoom at work. so well done zoom. ;)
    AppleExposedp-dogchasmmac_dog
  • Reply 5 of 10
    jdb8167jdb8167 Posts: 160member
    Now we can understand the quick turnaround from, "it's no big deal" to "we'll fix it immediately." Zoom was about to lose the PR battle and look foolish with Apple pushing out this update whether Zoom agreed or not. Smart PR I guess to give in to the inevitable and pretend it was your idea.
    edited July 10 chasmmac_dogcaladaniananantksundaramdysamoria
  • Reply 6 of 10
    MplsPMplsP Posts: 1,579member
    Thank you Apple - another example of why I trust Apple more than most other companies. 
    p-dogchasmmac_dogdedgeckoFileMakerFellerGabyfastasleepcaladaniananantksundaramstevenoz
  • Reply 7 of 10
    Rayz2016Rayz2016 Posts: 4,731member
    For all the know-nothings who’re about to pile in to say that Apple shouldn’t have allowed the installation of a web server in the first place:

    Developers need to install web servers for … y’know … development. 

    This is all on Zoom. 

    Way to crash your own credibility in an afternoon. 

    edited July 11 fastasleep
  • Reply 8 of 10
    Too late, your credibility is ruined, and damage is done.

    Your app went into the trash bin the moment I finished reading the first few paragraphs of the disclosure, and was even happier I trashed it after finishing the article!

    You're dead to me now.


    Well, it was Apple that had the fix out, not Zoom. So this is actually to Apple's credit that they acted upon this so quickly.

    Zoom, like you said, has ruined its own credibility. They were too busy making excuses.

    edited July 11 ajl
  • Reply 9 of 10
    So which versions of macOS received the silent fix?  How far back has Apple gone to purge this POS software?
    anantksundaramstevenozdysamoria
  • Reply 10 of 10
    ajlajl Posts: 108member
    According to Jonathan Leitschuh

    Timeline
    Mar 8, 2019 — Requested security contact via Twitter (no response).
    Mar 26, 2019 — Contacted Zoom Inc via email with 90-day public disclosure deadline. Offered a “quick fix” solution.
    Mar 27, 2019
    - Requested confirmation of reception.
    - Informed that Zoom Security Engineer was Out of Office.
    - Offered and declined a financial bounty for the report due to policy on not being able to publicly disclose even after the vulnerability was patched.
    Apr 1, 2019 — Requested confirmation of vulnerability.
    Apr 5, 2019 — Response from Zoom Security Engineer confirming and discussing severity. Settled on CVSSv3 score of 5.4/10.
    Apr 10, 2019 — Vulnerability disclosed to Chromium security team.
    Apr 18, 2019 — Updated Zoom with the suggestion from Chromium team.
    Apr 19, 2019 — Vulnerability disclosed to Mozilla FireFox security team.
    Apr 26, 2019 — Video call with Mozilla and Zoom Security Teams
    Disclosed details of impending DNS expiration.
    June 7, 2019 —Email from Zoom about a video call to discuss fix.
    June 11, 2019 — Video call with Zoom Security team about impending disclosure. Discussed how Zoom’s planned patch was incomplete.
    June 20, 2019 — Contacted about having another video call with Zoom Security Team. Declined by me due to calendar conflicts.
    June 21, 2019 — Zoom reports vulnerability was fixed.
    June 24, 2019 — 90-day public disclosure deadline ends. Vulnerability confirmed fixed with ‘quick fix’ solution.
    July 7, 2019 — Regression in the fix causes the video camera vulnerability to work again.
    July 8, 2019
    - Regression fixed.
    - Workaround discovered & disclosed.
    - Public Disclosure.

    And Zoom spokeswoman Priscilla McCarthy says "We're happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today."

    Sure.
    caladaniandysamoria
Sign In or Register to comment.