Apple pushes out silent update to remove sketchy Zoom code from Macs

Graham Cluley

Apple pushes out silent update to remove sketchy Zoom code on Macs

Apple pushes out silent update to remove sketchy Zoom code on Macs

Let’s be clear about this: Zoom, the makers of a video conferencing app used by millions of people around the world, did not handle the discovery of a privacy vulnerability its software at all well.

A flaw in the Mac version of the company’s app was initially explained away as a “legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings.”

That, and veiled criticism of the researcher who responsibly shared details of the problem with Zoom, did not go down well with computer users concerned that they could be tricked into joining a video conference with no warning, with their audio and webcam enabled.

I’m sure I wasn’t the only Mac user who was startled to find out that even after I had uninstalled the Zoom video conferencing app from my Mac, web server code Zoom had planted on my computer remained, allowing the software to be reinstalled without asking for my permission anytime I clicked on a Zoom meeting link.

Just listen to this edition of the “Smashing Security” podcast (recorded on Tuesday) to hear how pissed off I was:

Smashing Security #136: 'Oops, we created Iran's hacking exploit'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Well, it seems it didn’t take long for Zoom to realise it was on the wrong end of the argument.

In a blog post, Zoom founder and CEO Eric S. Yuan doesn’t go so far as using words like “sorry” or “apologise” but does admit that the company “misjudged the situation.”

Furthermore, Zoom says it has issued an update to its Mac app that removes the controversial local web server code, and now offers an uninstall option that both removes the Zoom client *and* the local web server.

Zoom update

My advice? If you want to continue running Zoom on your Mac, you should apply that update.

But that’s not all that’s happened.

Apple has also entered into the fray, and issued a silent update to Mac users that removes the Zoom web server code from all Macs, even if they do not update their version of Zoom. Zoom says it worked with Apple to test the update, which requires no user interaction.

TechCrunch reports that Apple’s update “will protect users both past and present from the undocumented web server vulnerability without affecting or hindering the functionality of the Zoom app itself.”

Going forward, Mac users will be prompted whether they want to run the Zoom app. Clearly wise heads have concluded that that’s not such a “poor user experience” after all.

Me? I’m not rushing to reinstall Zoom on my computers. I think next time someone invites me to a Zoom-based video conference I’ll see if I can use the web version of Zoom (which doesn’t require any software to be installed on my computer) instead.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES