Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Desktops (Apple) Apple

Apple Pushes a Silent Mac Update To Remove Hidden Zoom Web Server (techcrunch.com) 62

Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission. TechCrunch reports: The Cupertino, Calif.-based tech giant told TechCrunch that the update -- now released -- removes the hidden web server, which Zoom quietly installed on users' Macs when they installed the app. Apple said the update does not require any user interaction and is deployed automatically. Although Zoom released a fixed app version on Tuesday, Apple said its actions will protect users both past and present from the undocumented web server vulnerability without affecting or hindering the functionality of the Zoom app itself. The update will now prompt users if they want to open the app, whereas before it would open automatically.
This discussion has been archived. No new comments can be posted.

Apple Pushes a Silent Mac Update To Remove Hidden Zoom Web Server

Comments Filter:
  • by 93 Escort Wagon ( 326346 ) on Thursday July 11, 2019 @12:33AM (#58906204)

    I'm wondering because when I went looking the the Zoom hidden web server yesterday morning, I couldn't find any evidence it exists - even though I have used Zoom.

    • Re: (Score:1, Insightful)

      by AmiMoJo ( 196126 )

      That's the problem with silent, forced updates. You don't have control over your computer, it belongs to Apple.

      Imagine if Microsoft did this. People would be up in arms about how the evil empire can run arbitrary code on their computers and looking for ways to block it. Have you tried running dubious scripts that add all Apple's IP addresses to your filewall and disable the update service?

      • by Anonymous Coward on Thursday July 11, 2019 @03:06AM (#58906508)

        It is not a silent forced update. Always count on Techcrunch to sensationalize the issue. And count on Slashdot to post-first-read-later.

        macOS does install security updates, like to block malware, silently. Since the Zoom web server can be used by CORS attacks, and has holes as well, it is definitely a malware risk.

        And for the update to be silent, you need to have "Install system data files and security updates" checked. You can uncheck this. BTW, the "system data files" are certificates. Apple pushes new certificate files to deal with compromised certifies.

      • Microsoft did that often enough ...

      • That's the problem with silent, forced updates. You don't have control over your computer, it belongs to Apple.

        Imagine if Microsoft did this. People would be up in arms about how the evil empire can run arbitrary code on their computers and looking for ways to block it.

        You are joking aren't you?

      • by phayes ( 202222 )

        Many thanks for outing yourself as someone who would prefer that critical exploitable weaknesses continue to be exposed and abused rather than remedied, it makes it much easier to classify for what you are and ignore you.

        Apple has only used their ability to perform these updates to shut down third party software that was either already being abused like the Silverlight, Flash and Java NPAPI plug-ins that were blacklisted here [apple.com].

        Only buffoons whine about "Apple controls the computer, not you" when Apple is mak

        • by AmiMoJo ( 196126 )

          I'd prefer it to be patched, but with the user's consent. As Microsoft have demonstrated, sometimes the curse is worse than the disease.

          • by tlhIngan ( 30335 )

            I'd prefer it to be patched, but with the user's consent.

            Translation: I prefer it to be not patched.

            Because guess what? Users don't install patches.

            They get fed up with the dialogs and they disable them or just click "no". And this is with auto-updates and such all enabled.

            If you need proof, just survey a typical office - unless the IT admin forces the issue (I've seen admins basically say they will reboot all PCs so save your work before leaving), you'd find they can be several months behind on patches. O

      • First of all, you do have control over it. There's checkboxes in Software Update for "system and security updates" which when unchecked would disallow this update from happening.

        Second, if you did get the update, you can easily re-enable the vulnerability-infested shitware by editing the com.apple.xprotect plist file to remove the entry that prevents the vulnerability-infested shitware from running.

        Third, if you don't want Apple software updates and don't trust the easy to use preference pane for turning o

    • by antdude ( 79039 )

      Ditto on a 2012 13.3" MBP with its mac OS Sierra v10.12.6.

      • I wonder if it was specific to Mojave (10.14) - I'm on High Sierra, and I don't see the update listed in my software update history (System Information -> Software -> Installations).

        I've got all those auto-install options unchecked, so I should have been prompted before even a "silent" update.

        • by antdude ( 79039 )

          Same here in this 2012 13.3" MBP's mac OS Sierra v10.12.6. I saw no updates as of a few minutes ago. However, I did see its /var/log/install.log. This might be it?

          "...
          Jul 9 12:30:30 MBP systemmigrationd[29613]: systemmigrationd: Transitioning scanner request from Nothing to Local Volumes.
          Jul 9 12:30:31 MBP systemmigrationd[29613]: Connected to daemon. Language set to: English
          Jul 9 12:30:32 MBP system_installd[419]: PackageKit: Adding client PKInstallDaemonClient pid=29613, uid=0 (/System/Library/PrivateF

  • Nothing in the summary or the article about what OS versions this silent update works on. I guess we can assume 10.12, 10.13 and 10.14? Sucks to have 10.7-10.11 and not have heard about this problem I guess.
    • by Dog-Cow ( 21281 )

      Sucks to be shithead, but it seems to be working for you.

    • Haven’t checked this particular update, but last I checked 10.11 was still getting these security updates.

      There doesn’t seem to be any info on Zoom’s web site about system requirements, without knowing if their software even installs/runs on OS versions earlier than 10.11 it’s hard to say whether a lack of security updates is a problem...
      • I checked and Zoom seems to be compatible with 10.7 on. 10.11 already stopped receiving official security updates last year, the last major one was from 2018, while 10.12 and above have already received three this year. Pretty clear to me it's not being updated any longer.
    • I'll bet it's killed on anything released since 2013 or so when XProtect was added.

  • by Anonymous Coward

    What I want to know is if Zoom installs this hidden web server on other operating systems. They support a number of systems including Linux, and I've installed the Zoom client on my Linux system because the university I work for uses Zoom. Is this Mac-only, or is this "feature" present on other systems as well?

    The previous story mentioned that this server wasn't removed if Zoom was uninstalled, and that's particularly unacceptable. Uninstalling the software should remove everything that was ever installed,

    • Re: (Score:3, Informative)

      by Anonymous Coward

      What I want to know is if Zoom installs this hidden web server on other operating systems. They support a number of systems including Linux, and I've installed the Zoom client on my Linux system because the university I work for uses Zoom. Is this Mac-only, or is this "feature" present on other systems as well?

      From what I understand it was Mac only and a workaround since security features on the Mac required users to an extra click in a dialog box when following an invitation link to a Zoom room.

      So for the "convenience" of the user they decided that hosting a local server that they did not tell me they installed, nor uninstalled when I removed the program was the correct thing to do? Our school uses Zoom after ditching Adobe Connect, and I shut down and uninstalled the server before this news came out.

  • Pattern of Fail (Score:5, Interesting)

    by mentil ( 1748130 ) on Thursday July 11, 2019 @06:23AM (#58906918)

    A couple months ago iOS had a very similar bug where people could use Facetime to look through someone's camera, even without the victim accepting a Facetime call. Makes me wonder if there's some common reason why they're securing camera connections poorly.

    • by Freischutz ( 4776131 ) on Thursday July 11, 2019 @07:34AM (#58907068)

      A couple months ago iOS had a very similar bug where people could use Facetime to look through someone's camera, even without the victim accepting a Facetime call. Makes me wonder if there's some common reason why they're securing camera connections poorly.

      Yeah, the whole camera development team at Apple has been recruited by the NSA, or China, or Iran, .... no ALL THREE!!!! .... to spy on conservatives everywhere in a gigantic liberal conspiracy led by Darth Obama and Darth Hillary to destroy Judeo-Christian values everywhere!!!!! ..... Ugh, sorry guys, I had a brief Alex Jones moment there but I'm OK now.

  • The solution, easily, is just don't install software on your Mac from anywhere except the Mac App Store.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...