Apple has quietly rolled out a security-related update to all Mac systems to ensure current and former users of the Zoom video conferencing app aren't exposed to a serious privacy and security flaw disclosed last week.
The flaw in the Zoom app for Mac systems allowed a website to silently access a vulnerable computer’s camera.
The seriousness of the bug was exacerbated by Zoom’s practice of retaining a localhost web server on Macs even after users remove the app, which allowed it to reinstall the Zoom client automatically when a user clicks on a link.
Zoom argued the hidden web server was a valid “workaround” to a change in Safari 12 that required users click to confirm they want to start the Zoom client before joining every meeting.
“The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings,” said Zoom.
Jonathan Leitschuh, the researcher who reported the bug to Zoom, posted technical instructions for removing the web server, which was the only way to remove this component. However, the manual steps would likely not be followed through by many Mac users who may have at one point installed the Zoom client.
Leitschuh described Zoom’s practice as “incredibly sketchy” and released details of the bug after Zoom failed to meet a 90 day disclosure deadline.
Zoom on Tuesday also offered users an update that allowed them to manually uninstall the Zoom client and web server.
However, Apple addressed the issue more thoroughly on Wednesday by releasing an update to all Macs that removed the web server even for users that missed Zoom’s update.
Zoom CEO Eric Yuan admitted the company “misjudged the situation and did not respond quickly enough”. The company also plans to release an update that changes the Zoom app video being on by default.
"With this release, first-time users who select “Always turn off my video” will automatically have their video preference saved," said Yuan. That setting will be saved the user’s Zoom client settings, making video off by default for future meetings.
Zoom will also now launch a public bug bounty program after Leitschuh, who was invited to its private bug bounty, refused to sign an agreement that would have prevented him publishing details after a fix was release.
Luan additionally admitted escalation process for bug reports wasn't good enough in this case and claims the company has taken "steps to improve our process for receiving, escalating, and closing the loop on all future security-related concerns."