Published: Thu, July 11, 2019
IT | By Lester Massey

Apple updates Mac to fix faulty video conferencing app

Apple updates Mac to fix faulty video conferencing app

Millions of people use Zoom's corporate video conferencing apps.

The update also allows users to manually uninstall Zoom. When users visited these websites again, an attacker could have easily accessed the victim's webcam at any time via the web server; and being a standalone software, the web server remains in the Macs that had Zoom installed, and stays there even when the app is removed completely by the user.

"Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage", the researcher warned.

The flaw only affects computers running Apple's MacOS, because Windows computers manage connections in a different way, the report says.

This local server left users vulnerable even after they had uninstalled the Zoom client.

In a more detailed public statement, Zoom said admins and users will be able to turn off video if they configure their client video settings, and that preferences from their first Zoom meeting will be saved once they apply its July update. "We are stopping the use of a local web server on Mac devices", the company said.

By Wednesday, that differentiator was reduced, as the company announced in a highly-updated blog post that it would walk back back its local web server support in a patch prepared for Tuesday night.

Apple's move will ensure Mac users are protected from the hidden web server vulnerability, but this won't impact the Zoom app's functionality.

The idea that anyone can remotely activated your laptop's webcam will alarm many, and Zoom has responded and rushed out a patch for the app on Macs. It seems that Zoom thinks that asking a user if they want to join a meeting is a "poor user experience".

However, a malicious website can exploit the web server by sending it a request for a video feed. "We appreciate our users' patience as we continue to work through addressing their concerns", Zoom spokesperson Priscilla Barolo told CNET, confirming the TechCrunch report.

Like this: