Apple today pushed a second silent security update to Macs to address further vulnerabilities related to the Zoom video conferencing app for macOS, reports The Verge.
Apple removed software that was installed by RingCentral and Zhumu, two video conferencing apps that relied on technology from Zoom and were also found to have the same vulnerabilities as Zoom earlier this week.
These two apps installed software able to respond to commands that could potentially allow websites to open up your webcam during a video conference without permission. Removing the apps did not remove the secondary software that was vulnerable to exploitation, which is also how Zoom worked.
Discovered last week, the Zoom vulnerability let a website forcibly initiate a video call on a Mac with the Zoom app installed, due to a web server that Zoom installed in the background.
When the vulnerability was first discovered, Zoom said that it used a local web server as a workaround to Safari changes that Apple introduced in Safari 12, calling it a "legitimate solution" to an otherwise "poor user experience" that allowed users to access "seamless, one-click-to-join meetings."
At issue was a new popup Apple implemented to require user approval when launching a third-party app, which Zoom wanted to avoid. Zoom did so through the aforementioned web server, which was designed to wait for calls to open up Zoom conferences automatically.
Zoom eventually released a patch to address the issue, and Apple also took the step of removing web server software that was not initially removed from the Mac when uninstalling the Zoom app. Zoom has since made it so uninstalling the Zoom app will remove the web server, and has made other changes.
Installing Zoom no longer installs a local web server on Mac devices, and there is a new setting to save the "Always turn off my video" preference that disables video in Zoom by default until it is manually enabled.
As with the original Zoom patch, the new patch for RingCentral and Zhumu is deployed automatically so that users are not required to apply it manually for it to take effect. Apple told The Verge that it plans to fix the vulnerability for all of Zoom's partner apps.