Credits: The Register
Apple has pushed a silent update to Macs, disabling the hidden web server installed by the popular Zoom web-conferencing software.
A security researcher this week went public with his finding that the mechanism used to bypass a Safari prompt before entering a Zoom conference was a hidden local web server.
Jonathan Leitschuh focused largely on the fact that a user’s webcam would likely be ON automatically, meaning that a crafty bit of web coding would give an attacker a peek into your room if you simply visit their site.
But the presence of the web server was a more serious issue, especially since uninstalling Zoom did not remove it and the web server would reinstall the Zoom client – which is malware-like behaviour.
Although no remote execution vulnerability has been published, a web server with an unpublished API is a risk in itself. An element on a web page could link to localhost on the known Zoom port with whatever arguments it chooses.
In response to the bad publicity, Zoom posted a series of on-the-hoof updates. Its initial reaction was to justify the hidden web server as “a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings”.
This soon changed. On 9 July the company updated its Mac app to remove the local web server “via a prompted update”.
The next day Apple itself took action, by instructing macOS’s built-in antivirus engine to remove the web server on sight from Macs. Zoom CEO Eric Yuan added on Wednesday:
Apple issued an update to ensure the Zoom web server is removed from all Macs, even if the user did not update their Zoom app or deleted it before we issued our July 9 patch. Zoom worked with Apple to test this update, which requires no user interaction.
Further, Zoom promised an update in a couple of days intending that users who select “Always turn off my video” on first use will have that preference saved automatically.
Apple appears to have concluded that it is better to protect users by silently disabling this component than to respect the wishes of those who like to think they are in control of what gets installed and removed. Few would disagree.
There is another matter, though. On Windows, users may still be joined automatically to conferences, and with their webcam on, unless they have been careful to configure browser preferences otherwise. It is all a matter of how the .zoommtg extension is handled. Convenient, but still leaves users vulnerable to some webcam surprises.