Yesterday, video conferencing service Zoom launched an update for its Mac client, removing the controversial net server functionality that opened up the possibility of someone launching a video call on consumer’s computer without permission.
However now, reports are that Apple decided to step in regardless, launching a silent update for Macs that remove Zoom’s web server functionality altogether.
The local net server, which Zoom used to install on consumer computers quietly, improved some usability aspects of Zoom, however, opened up the huge potential for misuse, as first documented by security researcher Jonathan Leitschuh.
Apple mentioned the update protects past and present Zoom customers from the vulnerabilities discovered by Leitschuh, and Zoom informed TechCrunch that the corporate is “glad to have worked with Apple” on the update.
The fact that Apple moved in with a patch that fixes a third party app — something the corporate very rarely does — speaks volumes. A third-party app that installs a local web server in your computer without telling you, permitting such “features” as automatically reinstalling the Zoom app even after you’ve uninstalled it, is horrible for your system’s security.
And the fact that Zoom initially downplayed the vulnerabilities, calling them “low risk,” and defended its use of the hidden web server, exhibits the importance of the work of independent security researchers, which are sometimes the first to disprove such claims.
In a blog post-Wednesday, Zoom CEO Eric S. Yuan wrote that the corporate would launch a public vulnerability disclosure program in the “subsequent few weeks.” He also wrote that the corporate has “taken steps to enhance our process for receiving, escalating, and closing the loop on all future security-related concerns.”