After all of the drama over Zoom’s use of a hidden web server on Macs, Apple itself has decided to step in, TechCrunch reports. It is issuing a silent update — meaning your Mac will get it without any interaction on your part — to remove the web server, which was designed to save Safari users an extra click, from any Mac that has Zoom’s software installed.
Although Zoom itself issued an emergency patch yesterday to remove that web server, apparently Apple is concerned that enough users won’t update or are unaware of the controversy in the first place that it’s issuing its own patch. It makes perfect sense not only because many users may not open Zoom for some time, but also because many of them had uninstalled the app. Before Zoom’s emergency update, uninstalling the app left the web server on your computer — so Zoom wouldn’t have a way to uninstall it with an updated app. That means the only reasonable and easy way for those people to get this patch would be for Apple to provide it. Apple reportedly believes this software update shouldn’t affect Zoom’s ability to function on Macs.
basically, Apple stepped in because it knew a ton of people were still going to be vulnerable after they uninstalled Zoom but either didn’t know of the vulnerability or didn’t want to install the updated patched Zoom version.
— Zack Whittaker (@zackwhittaker) July 10, 2019
Apple also apparently gave Zoom a heads-up that this was happening:
Zoom spokesperson Priscilla McCarthy told TechCrunch: “We’re happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today. We appreciate our users’ patience as we continue to work through addressing their concerns.”
This entire saga began earlier in the week when security researcher Jonathan Leitschuh published his concerns over a serious vulnerability in Zoom that could allow any website to open up a Zoom conference call on your computer automatically with the webcam on. Even if you uninstalled Zoom, the web server persisted on your machine and could even reinstall the application automatically.
In the day that followed, Zoom first defended the use of a web server that enabled this functionality, then bowed to pressure and updated its app to remove it. Speaking to The Verge yesterday, Zoom’s chief information security officer, Richard Farley, explained that the company didn’t really believe that there was anything wrong with its software, but it wanted to reassure everybody who disagreed:
Our original position was that installing this [web server] process in order to enable users to join the meeting without having to do these extra clicks — we believe that was the right decision. And it was [at] the request of some of our customers. But we also recognize and respect the view of others that say they don’t want to have an extra process installed on their local machine. So that’s why we made the decision to remove that component.
As we wrote yesterday, all of the attention on the tactic of using a web server to do extra work on your computer has been focused on Zoom, but it has not been alone in doing so. A competing video conferencing service, BlueJeans, said that it too used similar software, but that it felt it was more secure. Sean Simmons, a senior director of product management at the company, told us:
While BlueJeans does use a launcher service […] we have mitigated this vulnerability by only allowing bluejeans.com websites to launch the BlueJeans desktop app into a meeting. Secondly, an uninstall of BlueJeans on Mac or Windows completely removes the application and the launcher service described in the article above. We continue to review all of the points in the Medium post and expect to have another update shortly.
The story, pardon the pun, may very well zoom out beyond this particular piece of web conferencing software and apply to other apps for the Mac. We’ve reached out to Apple regarding that question and will report if we hear more on that.