Yesterday, the Zoom videoconferencing service released an update for its Mac client, thereby removing the controversial feature of the Web server that allowed a person to initiate an unauthorized video call on the user's computer .
But now, TechCrunch reports that Apple has decided to intervene anyway, by launching a silent update for Mac that completely removes the functionality of Zoom's Web server.
The local Web server, which Zoom was quietly installing on users' computers, improved some aspects of Zoom's usability, but opened up a huge potential for misuse, as Jonathan, a security researcher, first documented.
Apple said the update was protecting current and past users of Zoom from vulnerabilities discovered by Leitschuh, and Zoom told TechCrunch that the company is "happy to have worked with Apple" for the update.
The fact that Apple has installed a patch that fixes a third-party application – which the company does very rarely – says a lot. A third-party application that installs a local Web server on your computer without telling you, allowing "features" such as the automatic re-installation of the Zoom application, even after uninstalling it, is horrible for the security of your system.
And the fact that Zoom initially downplayed the vulnerabilities, calling them "low risk" and defending its use of the hidden Web server, shows the importance of the work of independent security researchers, who are often the first to refute these vulnerabilities. assertions.
In an article published Wednesday on the blog, Eric S. Yuan, CEO of Zoom, said the company would launch a vulnerability disclosure program in the "next few weeks". He also wrote that the company had "taken steps to improve our process of receiving, retrieving and closing the loop on all future security concerns".