Apple Pushes a Silent Mac Update To Remove Hidden Zoom Web Server

Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission. TechCrunch reports: The Cupertino, Calif.-based tech giant told TechCrunch that the update -- now released -- removes the hidden web server, which Zoom quietly installed on users' Macs when they installed the app. Apple said the update does not require any user interaction and is deployed automatically. Although Zoom released a fixed app version on Tuesday, Apple said its actions will protect users both past and present from the undocumented web server vulnerability without affecting or hindering the functionality of the Zoom app itself. The update will now prompt users if they want to open the app, whereas before it would open automatically.

When did they do this?

[93 Escort Wagon]

I'm wondering because when I went looking the the Zoom hidden web server yesterday morning, I couldn't find any evidence it exists - even though I have used Zoom.

Re:

[AmiMoJo]

That's the problem with silent, forced updates. You don't have control over your computer, it belongs to Apple.

Imagine if Microsoft did this. People would be up in arms about how the evil empire can run arbitrary code on their computers and looking for ways to block it. Have you tried running dubious scripts that add all Apple's IP addresses to your filewall and disable the update service?

Re: When did they do this?

[hagnat]

zoom web service would start the video camera without even asking if you want to join the conference or not. Tested it yesterday, and was quite surprise to see myself in a room full of other engineers testing this without any prompt from the browser.

Cover your camera!

[h4ck7h3p14n37]

This is a non-issue if you cover your camera. Don't most people know to do this? The microphone is the real problem

It's more a non-issue than that

[SuperKendall]

It's not like it's silently opening the mic/camera. It's bringing up the whole Zoom interface. So it's really not hard to tell if someone has activated this.

Re:

[93 Escort Wagon]

Well, even so, the reported behavior was bad - not the least of which is this web server would apparently happily reinstall Zoom on a computer which had Zoom removed, if someone pinged the web server.

Re:

[hagnat]

This is not about you or me, we understand the importance of having a camera cover. But there are several John Does out there that don't know about this.
Also, before the fix, if you went to the proof of concept it would open the meeting room in the browser without prompting the user if he accepts to join it. The chatroom could be hidden away in the webpage, thus the user would have no idea he was being watched.

Re:When did they do this?

[Anonymous Coward]

It is not a silent forced update. Always count on Techcrunch to sensationalize the issue. And count on Slashdot to post-first-read-later.

macOS does install security updates, like to block malware, silently. Since the Zoom web server can be used by CORS attacks, and has holes as well, it is definitely a malware risk.

And for the update to be silent, you need to have "Install system data files and security updates" checked. You can uncheck this. BTW, the "system data files" are certificates. Apple pushes new certificate files to deal with compromised certifies.

Re:

[Anonymous Coward]

And always count on slashdot to perform mental gymnastics to explain away behavior from organizations they like while holding others feet to the fire for comparatively minor or even non-existent offense.

Both Microsoft and Apple have had the combination of malware removal updates and an auto update feature built into their OS for ages. What feet to fire holding took place? There are no two sides of this, these are universally recognized Good Ideas (TM).

This is not a contentious issue at all, and you are making things up. What "others" with burnt feet are you trying to defend here?

Re:

[MachineShedFred]

So someone says something stupid and incorrect with all kinds of bias and outrage and when corrected and called out on it, the person doing the correcting is a complete dick and obviously a corporate shill?

What a disappointing and craven world you must live in.

Re:

[angel'o'sphere]

Microsoft did that often enough ...

Re:

[Known Nutter]

s/did/does/g;

Re:

[Ol Olsoc]

That's the problem with silent, forced updates. You don't have control over your computer, it belongs to Apple.

Imagine if Microsoft did this. People would be up in arms about how the evil empire can run arbitrary code on their computers and looking for ways to block it.

You are joking aren't you?

Re:

[phayes]

Many thanks for outing yourself as someone who would prefer that critical exploitable weaknesses continue to be exposed and abused rather than remedied, it makes it much easier to classify for what you are and ignore you.

Apple has only used their ability to perform these updates to shut down third party software that was either already being abused like the Silverlight, Flash and Java NPAPI plug-ins that were blacklisted here [apple.com].

Only buffoons whine about "Apple controls the computer, not you" when Apple is mak

Re:

[AmiMoJo]

I'd prefer it to be patched, but with the user's consent. As Microsoft have demonstrated, sometimes the curse is worse than the disease.

Re:

[tlhIngan]

I'd prefer it to be patched, but with the user's consent.

Translation: I prefer it to be not patched.

Because guess what? Users don't install patches.

They get fed up with the dialogs and they disable them or just click "no". And this is with auto-updates and such all enabled.

If you need proof, just survey a typical office - unless the IT admin forces the issue (I've seen admins basically say they will reboot all PCs so save your work before leaving), you'd find they can be several months behind on patches. O

Re:

[MachineShedFred]

First of all, you do have control over it. There's checkboxes in Software Update for "system and security updates" which when unchecked would disallow this update from happening.

Second, if you did get the update, you can easily re-enable the vulnerability-infested shitware by editing the com.apple.xprotect plist file to remove the entry that prevents the vulnerability-infested shitware from running.

Third, if you don't want Apple software updates and don't trust the easy to use preference pane for turning o

Re:

[antdude]

Ditto on a 2012 13.3" MBP with its mac OS Sierra v10.12.6.

Re:

[93 Escort Wagon]

I wonder if it was specific to Mojave (10.14) - I'm on High Sierra, and I don't see the update listed in my software update history (System Information -> Software -> Installations).

I've got all those auto-install options unchecked, so I should have been prompted before even a "silent" update.

Re:

[antdude]

Same here in this 2012 13.3" MBP's mac OS Sierra v10.12.6. I saw no updates as of a few minutes ago. However, I did see its /var/log/install.log. This might be it?

"...
Jul 9 12:30:30 MBP systemmigrationd[29613]: systemmigrationd: Transitioning scanner request from Nothing to Local Volumes.
Jul 9 12:30:31 MBP systemmigrationd[29613]: Connected to daemon. Language set to: English
Jul 9 12:30:32 MBP system_installd[419]: PackageKit: Adding client PKInstallDaemonClient pid=29613, uid=0 (/System/Library/PrivateF

What OS versions affected?

[spacec0w]

Nothing in the summary or the article about what OS versions this silent update works on. I guess we can assume 10.12, 10.13 and 10.14? Sucks to have 10.7-10.11 and not have heard about this problem I guess.

Re:

[Dog-Cow]

Sucks to be shithead, but it seems to be working for you.

Re:

[Farmer Tim]

Haven’t checked this particular update, but last I checked 10.11 was still getting these security updates.

There doesn’t seem to be any info on Zoom’s web site about system requirements, without knowing if their software even installs/runs on OS versions earlier than 10.11 it’s hard to say whether a lack of security updates is a problem...

Re:

[spacec0w]

I checked and Zoom seems to be compatible with 10.7 on. 10.11 already stopped receiving official security updates last year, the last major one was from 2018, while 10.12 and above have already received three this year. Pretty clear to me it's not being updated any longer.

Re:

[MachineShedFred]

I'll bet it's killed on anything released since 2013 or so when XProtect was added.

Is this hidden server present on other OSes?

[Anonymous Coward]

What I want to know is if Zoom installs this hidden web server on other operating systems. They support a number of systems including Linux, and I've installed the Zoom client on my Linux system because the university I work for uses Zoom. Is this Mac-only, or is this "feature" present on other systems as well?

The previous story mentioned that this server wasn't removed if Zoom was uninstalled, and that's particularly unacceptable. Uninstalling the software should remove everything that was ever installed,

Re:

[Anonymous Coward]

What I want to know is if Zoom installs this hidden web server on other operating systems. They support a number of systems including Linux, and I've installed the Zoom client on my Linux system because the university I work for uses Zoom. Is this Mac-only, or is this "feature" present on other systems as well?

From what I understand it was Mac only and a workaround since security features on the Mac required users to an extra click in a dialog box when following an invitation link to a Zoom room.

So for the "convenience" of the user they decided that hosting a local server that they did not tell me they installed, nor uninstalled when I removed the program was the correct thing to do? Our school uses Zoom after ditching Adobe Connect, and I shut down and uninstalled the server before this news came out.

Re:

[AHuxley]

Some computers got curated.
Asking how and why is sinful.

Re: Permissions

[internet-redstar]

Nah, the article is clickbait. You only have the update if 'automatic updates' are turned on and gave your permission in that way...

Re:

[Ol Olsoc]

Nah, the article is clickbait. You only have the update if 'automatic updates' are turned on and gave your permission in that way...

Yeah - my mac always tells me there is an update, but has never pulled a Windows 10 style trick on me. The MacOS updates don't screw up the computer like Windows does, but Just like Linux I decide the time it happens.

Pattern of Fail

[mentil]

A couple months ago iOS had a very similar bug where people could use Facetime to look through someone's camera, even without the victim accepting a Facetime call. Makes me wonder if there's some common reason why they're securing camera connections poorly.

Re:Pattern of Fail

[Freischutz]

A couple months ago iOS had a very similar bug where people could use Facetime to look through someone's camera, even without the victim accepting a Facetime call. Makes me wonder if there's some common reason why they're securing camera connections poorly.

Yeah, the whole camera development team at Apple has been recruited by the NSA, or China, or Iran, .... no ALL THREE!!!! .... to spy on conservatives everywhere in a gigantic liberal conspiracy led by Darth Obama and Darth Hillary to destroy Judeo-Christian values everywhere!!!!! ..... Ugh, sorry guys, I had a brief Alex Jones moment there but I'm OK now.

MAS

[fulldecent]

The solution, easily, is just don't install software on your Mac from anywhere except the Mac App Store.