Published: Fri, July 12, 2019
Tech | By Constance Martin

Apple issues a silent Mac update to fix Zoom webcam exploit

Apple issues a silent Mac update to fix Zoom webcam exploit

According to Apple, the automatically-deployed update removes the hidden web server, which Zoom quietly installed on users' Macs when they installed the app, TechCrunch reported on Wednesday. Gray reported that Leitschuh likely nearly came close to finding a remote-code execution vulnerability affecting the local web server.

Many users may not even be aware the problem exists as they have already uninstalled the app.

Representatives of the company promised to release an update with a bug fix this month. An issue in the product's architecture involving a localhost web server means a third party could potentially join a videoconferencing call without permission.

Patching to get rid of the Zoom server completely should eliminate the vulnerability on Mac devices.

On Tuesday, Zoom said it was releasing an update that will remove the local web server to secure the system and do away with the use of the web servers moving forward. It also acknowledged it didn't now have an easy way to uninstall both the client and the server.

"It took Zoom 10 days to confirm the vulnerability", wrote Leitschuh. Even after the 90-day timeline was over, the company has only implemented the quick fix solution as originally suggested by the security researcher.

He demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed.

According to reports about the Zoom functionality issue, simply uninstalling Zoom from your Mac might not have been enough to correct the problem.

Despite the mishandling of the incident, Zoom's share price has continued to rise throughout the week, sitting at $92.72 a share at the time of writing, up 2% on the day.

Nintendo confirms portable-only, $200 "Switch Lite" for September
The Switch Lite weighs around 290 grams, which is about 90gl grams lighter than the Switch with Joy-Con controllers attached. As a handheld-only system, one could argue that it's not really a " Switch " anymore but that's academic at this point.

Ultimately, the voice of users and security professionals led to Zoom deciding that the risks outweighed convenience factor provided by the local web server.

The challenge with something like this Zoom vulnerability is that users might simply be unaware of any danger.

Leitschuh said the use of the local server was a fundamental security vulnerability, and sites should not communicate with applications in such a fashion.

Zoom, on the other hand, defended themselves, saying that it would be obvious if someone falls prey to hackers as the app is programmed to be the foremost window on users' screens, however, they've rolled out an update that changes the way meeting links are set up.

However, a malicious website can exploit the web server by sending it a request for a video feed.

The patch will also add a button that allows users to manually uninstall Zoom.

A security defect including video conferencing instrument Zoom could leave the cameras on Mac PCs helpless against aggressors, a security analyst claims.

'What's unfortunate, invasive and a violation of trust is when the software seems " uninstalled" but really isn't. "This is a breach of transparency and exposes individuals who believe they don't have the software installed to attacks". It's underhanded and breaches trust boundaries. "A very poor decision by the folks at Zoom".

Like this: