After all the drama related to Zoom's use of a hidden web server on Mac, Apple itself has decided to intervene, TechCrunch reports. It publishes a silent update – meaning your Mac will get it without any interaction from you – to remove the Web server, designed to record an extra click for Safari users, from any Mac on which the Zoom software is installed.
Although Zoom itself released an emergency patch yesterday to remove this Web server, Apple apparently fears that enough users are not updating themselves or are unaware of the controversy, first by publishing its own fix. This is perfectly logical, not only because many users may not open Zoom for a while, but also because many of them have uninstalled the application. Before the emergency update of Zoom, uninstalling the application left the web server on your computer. So, Zoom would have no way of uninstalling it with an updated application. This means that the only reasonable and easy way for these people to get this fix would be to provide it to Apple. Apple believes that this software update should not affect the ability of Zoom to work on Macs.
Apple stepped in because it knew that a large number of people would remain vulnerable after uninstalling Zoom, but did not know the vulnerability or did not want to install the updated version of the Zoom fix.
– Zack Whittaker (@zackwhittaker) July 10, 2019
Apple apparently also warned Zoom that this was happening:
Priscilla McCarthy, spokesperson for Zoom, said TechCrunch"We are happy to have worked with Apple to test this update. We expect the web server problem to be solved today. We value the patience of our users as we continue to work to address their concerns. "
This whole saga started earlier in the week when security researcher Jonathan Leitschuh voiced concerns about a serious vulnerability of Zoom that could allow any website to automatically open a Zoom conference call on your computer. the webcam. Even if you uninstalled Zoom, the web server persisted on your computer and could even reinstall the application automatically.
Over the next day, Zoom first defended the use of a web server that allowed this feature, then relented under pressure and updated its application to remove it. Talk to The edge Zoom's Information Security Officer Richard Farley explained yesterday that the company did not really believe there was something wrong with its software, but it wanted to reassure everyone who disagreed:
Our initial position was that the installation of this [web server] process to allow users to join the meeting without having to make those extra clicks – we think that was the right decision. And it was [at] the demand of some of our customers. But we also recognize and respect the point of view of those who say they do not want to install an additional process on their local computer. That's why we made the decision to remove this component.
As we wrote yesterday, all the attention paid to the tactic of using a Web server to do extra work on your computer was focused on Zoom, but that was not the case alone. BlueJeans, a competing videoconferencing service, said that he too was using similar software, but that he felt that it was more secure. Sean Simmons, senior director of product management for the company, told us:
While BlueJeans uses a launch service […] we mitigated this vulnerability by allowing only bluejeans.com websites to launch the BlueJeans desktop application in a meeting. Secondly, uninstalling BlueJeans on Mac or Windows completely deletes the application and launcher service described in the article above. We continue to review all points of the Medium publication and plan to have another update shortly.
The story, excuse me the pun, could very well crumble beyond this web conferencing software and apply to other applications for Mac. We have contacted Apple about this and will inform if we hear more.