Published: Thu, July 11, 2019
Electronics | By Kelly Massey

Apple quietly updates Macs to remove Zoom’s risky web server

Apple quietly updates Macs to remove Zoom’s risky web server

The TechCrunch report says Zoom was notified of the Mac update.

After initially defending their decision to install insecure local web servers on Mac users' machines that posed a significant security risk and could be hijacked by attackers, teleconferencing app Zoom has backtracked and has stated it should quickly remove the "feature".

If a user has ever installed the Zoom client and then uninstalled it, the Mac still has a localhost web server that will re-install the Zoom client, without requiring any user interaction besides visiting a webpage.

The flaw only affects computers running Apple's MacOS, because Windows computers manage connections in a different way, the report says. But the Zoom video conference app failed in that regard- as reported yesterday, a tech veteran found a serious flaw in the app that made any Mac with Zoom installed open to outside webcam access.

Prior to the update, Eoin Keary, CEO and co-founder of edgescan, told MailOnline: 'A vulnerability in any software is unsurprising and can be fixed with a patch prior to disclosure if the vendor addresses the issue in a timely manner. It also re-installs Zoom's software if it's been removed.

Stranger Things Creators Say Season Four Would 'Feel Very Different'
The usual game pieces have also been replaced by Stranger Things-appropriate totems: think Eggos, cassette tapes and Demodorg pollywogs instead of thimbles, wheelbarrows and puppies.

Popular application quietly activates the camera Mac. "We are stopping the use of a local web server on Mac devices", the company said.

That doesn't seem such a far reached idea after the researcher Leitschuh revealed that a vulnerability with the Zoom app meant that besides the ability to remotely active the Mac webcam, the vulnerability could also "have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call". "We appreciate our users' patience as we continue to work through addressing their concerns".

However, a malicious website can exploit the web server by sending it a request for a video feed.

By Wednesday, that differentiator was reduced, as the company announced in a highly-updated blog post that it would walk back back its local web server support in a patch prepared for Tuesday night. Its underhanded and breaches trust boundaries.

Like this: