Apple on Wednesday quietly pushed out an automatic update to Mac users to remove a local host server created by the Zoom video conferencing app. The fix protects users against the threat of unapproved webcam access.
TechCrunch reports Apple’s silent update protects all Zoon user from the recently discovered web server vulnerability without affecting the operation of the app itself.
Security researcher Jonathan Leitschuh on Tuesday disclosed a serious zero-day vulnerability in the Zoom video conferencing app for the Mac that can allow a website to hijack the webcam on a Mac.
In a post on Medium, Leitschuh showed how simply visiting a malicious website allows the site to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission. In addition, the vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
If a user has ever installed the Zoom client and then uninstalled it, the Mac still has a localhost web server that will re-install the Zoom client, without requiring any user interaction besides visiting a webpage.
Zoom, feeling the pressure from heavy media coverage of the security flaw in their Mac client that allows access to a user’s webcam, released a fix for the issue Tuesday afternoon.
However, Apple elected to remove the server, and the threat, on its own on Wednesday. The update will now prompt Mac users to voluntarily open the app, instead of opening it automatically as it did previously. The TechCrunch report says Zoom was notified of the Mac update.
“We’re happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today,” Zoom spokeswoman Priscilla McCarthy told TechCrunch. “We appreciate our users’ patience as we continue to work through addressing their concerns.”
While Apple has deployed silent Mac operating system updates in the past to resolve severe malware or other security threats, a deployment to target a specific third-party app is a bit unusual. The company told TechCrunch it pushed the update to protect users from the risks posed by the exposed web server.