Apple removes Zoom web server in stealth Mac update

According to Apple, the silent update shields all Zoom users from a recently discovered web server vulnerability without impacting the operation of the app itself, reports TechCrunch.

Previous versions of Zoom installed a local host web server to bypass security protocols deployed as part of Safari 12.

In a bid to protect users from malicious actors, Apple's web browser requires interaction with a dialogue box when a website or link attempts to launch an outside app. Seeking a streamlined one-click-to-open user experience, Zoom sought to bypass the Safari feature and quietly built a local web server into its Mac client package.

A flaw in Zoom's implementation left the app, and subsequently all Mac owners who installed the software, open to attack.

Security researcher Jonathan Leitschuh this week detailed the vulnerability in a zero-day disclosure. Leitschuh found that embedding a simple launch action or an iframe into a website automatically dropped a user into a Zoom meeting with their Mac's webcam enabled. Because the flaw lies in a web server and is not siloed to the app, the attack is effective not only in Safari, but Chrome and Firefox as well.

Further, the web server would remain on a host Mac even after Zoom was uninstalled and was capable of re-installing the the client app without user interaction.

Following Leitschuh's report, and intense scrutiny from media outlets, Zoom decided to patch the flaw in an emergency update on Tuesday. As part of the update, Zoom promised to remove the local host server and make available an option to completely uninstall all remnants of the app without going through Terminal.

Apple opted to remove the server through its own tools on Wednesday. Zoom was apparently notified of the Mac update, according to the report.

"We're happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today," Zoom spokeswoman Priscilla McCarthy told TechCrunch. "We appreciate our users' patience as we continue to work through addressing their concerns."

Apple typically reserves silent, automated Mac operating system updates to resolve severe malware issues or otherwise enhance user security. The mechanism is rarely deployed to target a specific third-party app, but the company informed TechCrunch that this particular fix was initiated to protect users from Zoom's exposed web server.