Apple on Wednesday quietly rolled out a security-related update to all Mac systems to make sure current and former users of the Zoom video conferencing app weren’t exposed to a serious privacy and security flaw disclosed this week. 

The flaw in the Zoom app for Mac systems allowed a website to silently access a vulnerable computer’s camera. The seriousness of the bug was exacerbated by Zoom’s practice of retaining a localhost web server on Macs even after users remove the app, which allowed it to reinstall the Zoom client automatically when a user clicks on a link. 

Zoom argued the hidden web server was a valid “workaround” to a change in Safari 12 that required users click to confirm they want to start the Zoom client before joining every meeting. 

“The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings,” said Zoom

Jonathan Leitschuh, the researcher who reported the bug to Zoom, posted technical instructions for removing the web server, which was the only way to remove this component. However, the manual steps would likely not be followed through by many Mac users who may have at one point installed the Zoom client. 

Source link