Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple removes Zoom web server in stealth Mac update

Last updated

Apple on Wednesday pushed out an automatic update for Mac users that removes a local host server created by video conferencing app Zoom, protecting users against the threat of unwanted webcam access.

According to Apple, the silent update shields all Zoom users from a recently discovered web server vulnerability without impacting the operation of the app itself, reports TechCrunch.

Previous versions of Zoom installed a local host web server to bypass security protocols deployed as part of Safari 12.

In a bid to protect users from malicious actors, Apple's web browser requires interaction with a dialogue box when a website or link attempts to launch an outside app. Seeking a streamlined one-click-to-open user experience, Zoom sought to bypass the Safari feature and quietly built a local web server into its Mac client package.

A flaw in Zoom's implementation left the app, and subsequently all Mac owners who installed the software, open to attack.

Security researcher Jonathan Leitschuh this week detailed the vulnerability in a zero-day disclosure. Leitschuh found that embedding a simple launch action or an iframe into a website automatically dropped a user into a Zoom meeting with their Mac's webcam enabled. Because the flaw lies in a web server and is not siloed to the app, the attack is effective not only in Safari, but Chrome and Firefox as well.

Further, the web server would remain on a host Mac even after Zoom was uninstalled and was capable of re-installing the the client app without user interaction.

Following Leitschuh's report, and intense scrutiny from media outlets, Zoom decided to patch the flaw in an emergency update on Tuesday. As part of the update, Zoom promised to remove the local host server and make available an option to completely uninstall all remnants of the app without going through Terminal.

Apple opted to remove the server through its own tools on Wednesday. Zoom was apparently notified of the Mac update, according to the report.

"We're happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today," Zoom spokeswoman Priscilla McCarthy told TechCrunch. "We appreciate our users' patience as we continue to work through addressing their concerns."

Apple typically reserves silent, automated Mac operating system updates to resolve severe malware issues or otherwise enhance user security. The mechanism is rarely deployed to target a specific third-party app, but the company informed TechCrunch that this particular fix was initiated to protect users from Zoom's exposed web server.



9 Comments

magman1979 11 Years · 1301 comments

Too late, your credibility is ruined, and damage is done.

Your app went into the trash bin the moment I finished reading the first few paragraphs of the disclosure, and was even happier I trashed it after finishing the article!

You're dead to me now.

mobird 20 Years · 758 comments

It's not nice to fool with mother Apple...

freethinking 8 Years · 92 comments

Yep, we black listed zoom at work. so well done zoom. ;)

jdb8167 16 Years · 626 comments

Now we can understand the quick turnaround from, "it's no big deal" to "we'll fix it immediately." Zoom was about to lose the PR battle and look foolish with Apple pushing out this update whether Zoom agreed or not. Smart PR I guess to give in to the inevitable and pretend it was your idea.

MplsP 8 Years · 4047 comments

Thank you Apple - another example of why I trust Apple more than most other companies.