Apple silently removes Zoom web server software from Macs
After all the drama over Zoom’s use of a hidden web server on Mac, Apple itself decided to step in, TechCrunch reports. It releases a silent update – which means your Mac will get it without any interaction from you – to remove the web server, which was designed to save Safari users an extra click, from any Mac that the Zoom software is installed.
Although Zoom itself yesterday released an emergency patch to remove this web server, Apple is apparently concerned that a sufficient number of users are not updating or are unaware of the controversy it is releasing. its own fix. This makes perfect sense not only because many users may not open Zoom for a while, but also because many of them have uninstalled the app. Before Zoom’s emergency update, uninstalling the app left the web server on your computer – so Zoom wouldn’t have a way to uninstall it with an updated app. This means that the only reasonable and easy way for these people to get this fix would be for Apple to provide it. Apple believes this software update should not affect Zoom’s ability to run on Macs.
Basically, Apple stepped in because it knew a ton of people would still be vulnerable after uninstalling Zoom, but either didn’t know about the vulnerability or didn’t want to install the updated version of Zoom that was fixed.
– Zack Whittaker (@zackwhittaker) July 10, 2019
Apple also apparently warned Zoom that this was happening:
Zoom spokesperson Priscilla McCarthy said TechCrunch: “We are happy to have worked with Apple to test this update. We expect the web server issue to be resolved today. We appreciate the patience of our users as we continue to work to address their concerns. “
This whole saga started earlier this week when security researcher Jonathan Leitschuh published his concerns on a serious vulnerability in Zoom that could allow any website to automatically open a Zoom conference call on your computer with the webcam on. Even if you uninstalled Zoom, the web server persisted on your machine and could even reinstall the application automatically.
The next day, Zoom first defended the use of a web server that enabled this feature, then gave in to the pressure and updated their app to remove it. Talk to The edge Zoom’s chief information security officer, Richard Farley, yesterday explained that the company didn’t really believe there was anything wrong with their software, but they wanted to reassure anyone who didn’t. ‘disagreed:
Our initial position was that the installation of this [web server] process in order to allow users to join the meeting without having to make those extra clicks – we think this was the right decision. And it was [at] the request of some of our customers. But we also recognize and respect the perspective of others who say they don’t want an additional process installed on their local machine. That is why we have made the decision to remove this component.
As we wrote yesterday, all the attention to the tactic of using a web server to do extra work on your computer has been focused on Zoom, but it hasn’t been the only one. A competing video conferencing service, BlueJeans, said it also uses similar software, but feels more secure. Sean Simmons, senior director of product management for the company, told us:
While BlueJeans uses a launch service […] We mitigated this vulnerability by only allowing bluejeans.com websites to launch the BlueJeans desktop app in a meeting. Second, an uninstall of BlueJeans on Mac or Windows completely removes the app and launcher service described in the article above. We are continuing to review all points of the Medium post and expect another update shortly.
The story, pardon the pun, may very well extend beyond this web conferencing software and apply to other applications for Mac. We have contacted Apple about this matter and will report back if we hear more about it.