Yesterday, video conferencing service Zoom released an update for its Mac client, removing the controversial web server functionality that opened up the possibility of someone launching a video call on user’s computer without permission.
But now, TechCrunch reports that Apple decided to step in regardless, launching a silent update for Macs that removes Zoom’s web server functionality altogether.
The local web server, which Zoom used to quietly install on user computers, improved some usability aspects of Zoom, but opened up massive potential for misuse, as first documented by security researcher Jonathan Leitschuh.
Apple said the update protects past and present Zoom users from the vulnerabilities found by Leitschuh, and Zoom told TechCrunch that the company is “happy to have worked with Apple” on the update.
The fact that Apple moved in with a patch that fixes a third party app — something the company very rarely does — speaks volumes. A third party app that installs a local web server on your computer without telling you, allowing such “features” as automatically reinstalling the Zoom app even after you’ve uninstalled it, is horrible for your system’s security.
And the fact that Zoom initially downplayed the vulnerabilities, calling them “low risk,” and defended its use of the hidden web server, shows the importance of the work of independent security researchers, which are often the first to disprove such claims.
In a blog post Wednesday, Zoom CEO Eric S. Yuan wrote that the company would launch a public vulnerability disclosure program in the “next few weeks.” He also wrote that the company has “taken steps to improve our process for receiving, escalating, and closing the loop on all future security-related concerns.”