Apple pushes out another silent update to address flaws in RingCentral and other video conferencing apps

Graham Cluley

More vulnerable video conferencing apps silently patched by Apple

More vulnerable video conferencing apps silently patched by Apple

It turns out it wasn’t just users of the Zoom video conferencing app who were at risk of having their webcam hijacked.

A week after Zoom admitted it had handled the discovery of a privacy vulnerability its software poorly, and Apple pushed out a silent update to neutralise some of Zoom’s most outrageous behaviour, Mac users have received a further security update that protects against the same Zoom vulnerability in other video conferencing apps.

The apps, as listed by security researcher Karan Lyons, are all apps that have licensed Zoom’s technology and – like Zoom – created a localhost webserver on Macs that allowed the software to be reinstalled without explicit permission from users.

As I described when the security violation first came to light, it’s bad enough that users could be tricked into unexpectedly entering a video call but in some ways even worse than Zoom felt it had the right to install its software onto users’s Macs without their explicit permission.

That doesn’t just suck, it’s downright rude. I want to control whose apps get installed on my computer. A typical Mac user would believe that dragging the Zoom app into the trash can would uninstall the app, not leave behind code that can reinstall the app in the blink of an eye without a user’s explicit permission.

Now we know it’s not just Zoom that contained this sketchy code, but also products that had white-labelled Zoom’s software – including RingCentral, Telus Meetings, AT&T Video Meetings, and Zhumu.

Apple doesn’t make a habit of pushing out silent emergency updates, but clearly felt it was important enough in this situation.

For most Mac users I think automatic updates are a good thing, but if you really don’t like the idea of Apple installing an security update without your authorisation you can go into your system preferences and uncheck “Install system data files and security updates.”

Macos system update preferences

I bet the programmers at Apple would be happier working on other projects than cleaning up another company’s mess.

For more discussion of the Zoom flaw, listen to this edition of the “Smashing Security” podcast:

Smashing Security #136: 'Oops, we created Iran's hacking exploit'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.