A few days ago, a severe vulnerability with the Zoom video conferencing app for Mac was reported. Due to the security flaw, hackers could potentially hijack users’ webcams and threaten their online security.
The vulnerability was found because Zoom had installed a hidden web server on users’ computers in order to allow for automatic answering of incoming calls. That web server was not only the weak point that could be exploited, but it also was not removed upon deletion of the application. For that reason, users who had previously deleted Zoom might not even realize they were vulnerable to this potential cyber attack.
Yesterday, Zoom launched an emergency patch to remove the vulnerable web server, however, as Apple is too concerned that many users won’t update or are unaware of the controversy, it is releasing a patch of its own (meaning your Mac will get it without any interaction on your part) to solve the issue.
Before Zoom’s emergency update, uninstalling the application left the web server on your Mac, so Zoom wouldn’t have a way to uninstall it with an updated app. That means the easiest way for those users to get the security patch would be for Apple to provide it.
According to TechCrunch, the company has already taken the matter further and seeded a silent macOS update to remove the web server. The update is deployed automatically, so users don’t have to install it manually.
“Although Zoom released a fixed app version on Tuesday, Apple said its actions will protect users both past and present from the undocumented web server vulnerability without affecting or hindering the functionality of the Zoom app itself.
The update will now prompt users if they want to open the app, whereas before it would open automatically.”
At the same time, the spokesperson of Zoom, Priscilla McCarthy told TechCrunch:
“We’re happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today. We appreciate our users’ patience as we continue to work through addressing their concerns.”
In a blog post, Zoom writes that this weekend it will take further action by automatically having first-time users who select “Always turn off my video” default to having video off for all future meetings. Additionally, Zoom will be also improving its bug bounty program and security-related issue escalation process.