After all the drama related to Zoom's use of a hidden web server on Mac, Apple itself has decided to intervene, TechCrunch reports. There is a silent update – which means your Mac will get it without any interaction from you – to remove the web server, designed to record an extra click for users of Safari, any Mac on which the Zoom software is installed.
Although Zoom has itself published a emergency patch yesterday to remove this web server, Apple apparently fears that enough users are not updating themselves or are not aware of the controversy at first, that it publishes its own patch. This is perfectly logical, not only because many users may not open Zoom for a while, but also because many of them have uninstalled the application. Before the emergency update of Zoom, uninstalling the application left the web server on your computer. So, Zoom would have no way of uninstalling it with an updated application. This means that the only reasonable and easy way for these people to get this fix would be to provide it to Apple. Apple believes that this software update should not affect the ability of Zoom to work on Macs.
Apple stepped in because it knew how to do it because it was still vulnerable after uninstalling Zoom in, but did not know the vulnerability or did not want to install the updated version of Zoom Update.
– Zack Whittaker (@zackwhittaker) July 10, 2019
Apparently, Apple also told Zoom that this was happening:
Priscilla McCarthy, spokesperson for Zoom, said TechCrunch"We are happy to have worked with Apple to test this update, we expect the web server problem to be solved today." We appreciate the patience of our users as we continue to work to address their concerns. "
This whole saga started earlier in the week when Security researcher Jonathan Leitschuh has published his concerns Focus on a serious vulnerability that could allow any website to open a Zoom conference automatically on your computer with the webcam turned on. Even if you uninstalled Zoom, the web server persisted on your computer and could even reinstall the application automatically.
In the day that followed, first, the web server user who activated this feature, and then the application to delete it. Talk to The edge yesterdayRichard Farley, Head of Information at Zoom, explained that the company did not really believe that its software was faulty, but wanted to reassure all those who disagreed:
Our initial position was to install this process (web server) to allow users to join the meeting without having to make these additional clicks – we feel it was the right decision. And it was (at) the request of some of our customers. But we also recognize and respect the point of view of others who say they do not wish to have an additional process on their local computer. That's why we made the decision to remove this component.
As we wrote yesterday, all the attention paid to the tactic of using a web server to work on your computer was focused on Zoom, but that was not the case alone. BlueJeans, a competing videoconferencing service, said that he was using similar software, but that he felt it was more secure. Sean Simmons, senior director of product management for the company, told us:
Although BlueJeans uses a launch service (…), we have mitigated this vulnerability by allowing only bluejeans.com websites to launch the BlueJeans desktop application in a meeting. Secondly, uninstalling BlueJeans on Mac or Windows completely deletes the application and launcher service described in the article above. We continue to review all points of the Medium publication and plan to have another update shortly.
The story, excuse me the pun, could very well deviate from the web conferencing software in question and apply to other applications for Mac.