Apple Pushes Another Automatic Mac Software Update to Address Further Zoom-Related Vulnerabilities

Apple today pushed a second silent security update to Macs to address further vulnerabilities related to the Zoom video conferencing app for macOS, reports The Verge.

Apple removed software that was installed by RingCentral and Zhumu, two video conferencing apps that relied on technology from Zoom and were also found to have the same vulnerabilities as Zoom earlier this week.

zoom logo
These two apps installed software able to respond to commands that could potentially allow websites to open up your webcam during a video conference without permission. Removing the apps did not remove the secondary software that was vulnerable to exploitation, which is also how Zoom worked.

Discovered last week, the Zoom vulnerability let a website forcibly initiate a video call on a Mac with the Zoom app installed, due to a web server that Zoom installed in the background.

When the vulnerability was first discovered, Zoom said that it used a local web server as a workaround to Safari changes that Apple introduced in Safari 12, calling it a "legitimate solution" to an otherwise "poor user experience" that allowed users to access "seamless, one-click-to-join meetings."

At issue was a new popup Apple implemented to require user approval when launching a third-party app, which Zoom wanted to avoid. Zoom did so through the aforementioned web server, which was designed to wait for calls to open up Zoom conferences automatically.

Zoom eventually released a patch to address the issue, and Apple also took the step of removing web server software that was not initially removed from the Mac when uninstalling the Zoom app. Zoom has since made it so uninstalling the Zoom app will remove the web server, and has made other changes.

Installing Zoom no longer installs a local web server on Mac devices, and there is a new setting to save the "Always turn off my video" preference that disables video in Zoom by default until it is manually enabled.

As with the original Zoom patch, the new patch for RingCentral and Zhumu is deployed automatically so that users are not required to apply it manually for it to take effect. Apple told The Verge that it plans to fix the vulnerability for all of Zoom's partner apps.

Tag: Zoom

Top Rated Comments

BWhaler Avatar
29 months ago
NO

It was NOT discovered last week.

ZOOM was informed months ago, decided not to fix the patch because it would lower their value proposition and product strategy. Again, they chose to leave the security hole open for their business gain.

Two weeks ago was when the researcher got fed up and disclosed it to the public. Only then did Zoom jump into PR mode and fox the problem.

Apple, god bless them, learned of this and shut the exploit down. No point waiting for an unethical company. What else does Zoom know about they still haven’t disclosed?

MacRumors writers, do your job. Don’t let unethical companies spin or this behavior will never go away.
Score: 30 Votes (Like | Disagree)
arkmannj Avatar
29 months ago
Even if you discount the security issues... thanks companies for installing a 24x7 service consuming resources just to avoid a potential CLICK.

Good on Apple for pushing out the updates to help mitigate the stupidity of these companies.
Score: 14 Votes (Like | Disagree)
Westside guy Avatar
29 months ago
Any chance you’re willing to share your script? :) It’s a shame that you’d even need to make something like that, especially having to run regularly.
Here it is, warts and all (replace "{username1}, {username2}, etc. with actual user accounts of course).

* There should really be some error checking added to this, for example it shouldn't try to move the files if it's unable to create the "-unused" directories.
* Released under the "you break it, you get to keep both pieces" license


#!/bin/bash -f

#
# Cleans out all the cruft that Adobe, Microsoft, and Google try to hide
# in the Launch* directories. This script works from the command line, but
# it's mainly intended for use as a cron job.
#
# Needs to be run with sudo, or as root
#
#
# Changelog: Added Skype to the list 2018-12-03 TLS
#
# Initial script written 2018-08-15 TLS
#

if [ $USER != "root" ] ; then
echo "Error - needs to be run with root permissions (you are $USER). Please use sudo."
exit 1;
fi

DIRECTORY_LIST=(
"/Library/LaunchAgents"
"/Library/LaunchDaemons"
"/Users/{username1}/Library/LaunchAgents"
"/Users/{username2}/Library/LaunchAgents"
)
UNWANTED_LAUNCHERS_LIST=(
"com.adobe.*"
"com.citrix.*"
"com.google.*"
"com.lifescan.*"
"com.microsoft.*"
"com.skype.*"
)

for THIS_DIR in ${DIRECTORY_LIST* } ; do
if [ ! -d $THIS_DIR ] ; then
continue
fi
STORAGE_DIR="$THIS_DIR-unused"
if [ ! -d $STORAGE_DIR ] ; then
mkdir $STORAGE_DIR
fi
for THIS_GLOB in ${UNWANTED_LAUNCHERS_LIST* } ; do
find $THIS_DIR -maxdepth 1 -type f -iname $THIS_GLOB -exec mv \{\} $STORAGE_DIR \;
done
done
Score: 12 Votes (Like | Disagree)
Westside guy Avatar
29 months ago
Even if you discount the security issues... thanks companies for installing a 24x7 service consuming resources just to avoid a potential CLICK.
Yeah, this is a problem - even setting aside security concerns. All sorts of companies add superfluous scripts to our system's LaunchAgents and LaunchDaemons folders, usually for no good reason. Adobe, Citrix, Google, Microsoft, etc. Maybe each one doesn't normally chew up much memory, but the effect is cumulative... and sometimes those processes run away.

I actually have a "cleanup unwanted launchers" bash script running as a cron job on all my Macs. It runs each hour and moves the cruft any of these companies (and a couple others) placed into the various LaunchAgents and LaunchDaemons folders into LaunchAgents-unused and LaunchDaemons-unused, respectively.
Score: 8 Votes (Like | Disagree)
Kaibelf Avatar
29 months ago
Automatic silent OS updates huh? Sounds like some Google privacy invading stuff to me.
Howso? By making sure people can NOT access your camera and mic without your knowledge in a way that was designed to sidestep basic OS protections, now it's invading your privacy?
Score: 7 Votes (Like | Disagree)
iGeneo Avatar
29 months ago
Good!

I have ZERO issue with these silent updates
Score: 7 Votes (Like | Disagree)

Top Stories

affinity designer contour tool

Serif Updates Affinity Photo, Designer, and Publisher With New Tools and Functions

Thursday February 4, 2021 1:58 am PST by
Serif today announced across-the-board updates for its popular suite of Affinity creative apps, including Affinity Photo, Affinity Designer, and the Apple award-winning Affinity Publisher for Mac, all of which were among the first professional creative suites to be optimized for Apple's new M1 chip. "After another year which saw record numbers of people switching to Affinity, it's exciting to...
studio buds family

Beats Studio Buds Debuting Today With Active Noise Cancellation, Stemless Design, and More for $150

Monday June 14, 2021 8:00 am PDT by
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99. The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...
maxresdefault

Craig Federighi and Greg Joswiak Discuss iPadOS 15, macOS Monterey, Privacy, Shortcuts on Mac, and More

Saturday June 12, 2021 6:12 am PDT by
As is tradition, Apple executives Craig Federighi and Greg Joswiak joined Daring Fireball's John Gruber in an episode of The Talk Show to discuss several announcements that Apple made over this weeks WWDC, including iPadOS 15, macOS Monterey, and a large focus around privacy. Federighi kicks off the conversation discussing the common architecture, now thanks to Apple silicon, across all of...
youtube apple tv

YouTube Discontinuing 3rd-Generation Apple TV App, AirPlay Still Available

Wednesday February 3, 2021 3:09 pm PST by
YouTube is planning to stop supporting its YouTube app on the third-generation Apple TV models, where YouTube has long been available as a channel option. A 9to5Mac reader received a message about the upcoming app discontinuation, which is set to take place in March.Starting early March, the YouTube app will no longer be available on Apple TV (3rd generation). You can still watch YouTube on...
adobe photoshop sketch ipad

Adobe Removing Photoshop Sketch and Illustrator Draw From App Store in July

Saturday June 26, 2021 4:02 pm PDT by
Adobe this week reminded customers that its Photoshop Sketch and Illustrator Draw apps will no longer be available for download on iOS and Android starting July 19. Adobe plans to stop supporting the apps for existing users on January 10, 2022. In a support document, Adobe said users can easily migrate to its Fresco app, which combines many Photoshop Sketch and Illustrator Draw drawing and...
REC ASA CODE2016 20160601 205816 2745

Elon Musk Reportedly Demanded to Become Apple CEO as Part of Potential Tesla Acquisition [Update: Musk Denies]

Friday July 30, 2021 9:04 am PDT by
Tesla CEO Elon Musk reportedly once demanded that he be made Apple CEO in a brief discussion of a potential acquisition with Apple's current CEO, Tim Cook. The claim comes in a new book titled "Power Play: Tesla, Elon Musk and the Bet of the Century," as reviewed by The Los Angeles Times. According to the book, during a 2016 phone call between Musk and Cook that touched on the possibility of ...
homepod feature blue2

Looking to Grab a HomePod Before They're Gone? These Retailers Still Have Stock

Monday March 15, 2021 6:54 am PDT by
Apple last week discontinued the original HomePod, marking just over three years on the market for the full-size smart speaker. If you're looking to purchase the larger HomePod before it's completely gone, there are still some options online today. The biggest retailer with remaining stock on the HomePod is Apple itself, which has the White HomePod for $299.00 on its website. Space Gray is...
september 2021 event ar logo

Apple's September 14 Event Page Features AR Logo on iPhone

Tuesday September 7, 2021 9:23 am PDT by
Apple this morning announced a digital-only event that will be held on Tuesday, September 14, and if you view the event webpage on an iPhone, you can tap on the logo to open up Apple's Safari AR viewer and you'll see the three-dimensional logo move in real-time in the real world. Just open up the event site on an ‌iPhone‌ or iPad and tap right on the logo to open up the AR version. The...
iphone 11 night mode photos

Apple Reveals New Night Mode Photo Feature Exclusive to iPhone 11 Series

Tuesday September 10, 2019 12:23 pm PDT by
Apple today announced the iPhone 11, iPhone 11 Pro, and the iPhone 11 Max, all-new models that boast improved cameras, and specifically, a dramatic new Night Mode photo feature. Last year, Google introduced its impressive Night Sight camera mode, a software-based feature that allows users to take detailed pictures in dark environments using Google Pixel smartphones. Apple's new Night...
iPhone 13 Dummy Thumbnail 2

Kuo: iPhone 13 to Feature LEO Satellite Communications to Make Calls and Texts Without Cellular Coverage

Sunday August 29, 2021 7:39 am PDT by
The iPhone 13 will feature low earth orbit (LEO) satellite communication connectivity to allow users to make calls and send messages in areas without 4G or 5G coverage, according to the reliable analyst Ming-Chi Kuo. In a note to investors, seen by MacRumors, Kuo explained that the iPhone 13 lineup will feature hardware that is able to connect to LEO satellites. If enabled with the relevant...