It turns out it wasn’t just users of the Zoom video conferencing app who were at risk of having their webcam hijacked.
A week after Zoom admitted it had handled the discovery of a privacy vulnerability its software poorly, and Apple pushed out a silent update to neutralise some of Zoom’s most outrageous behaviour, Mac users have received a further security update that protects against the same Zoom vulnerability in other video conferencing apps.
The apps, as listed by security researcher Karan Lyons, are all apps that have licensed Zoom’s technology and – like Zoom – created a localhost webserver on Macs that allowed the software to be reinstalled without explicit permission from users.
MRT update 1.46 now removes vulnerable web servers for Zoom, RingCentral, Telus Meetings, BT Cloud Phone Meetings, Office Suite HD Meeting, AT&T Video Meetings, BizConf, Huihui, UMeeting, Zhumu, and Zoom CN.
— Karan Lyons (@karanlyons) July 16, 2019
As I described when the security violation first came to light, it’s bad enough that users could be tricked into unexpectedly entering a video call but in some ways even worse than Zoom felt it had the right to install its software onto users’s Macs without their explicit permission.
That doesn’t just suck, it’s downright rude. I want to control whose apps get installed on my computer. A typical Mac user would believe that dragging the Zoom app into the trash can would uninstall the app, not leave behind code that can reinstall the app in the blink of an eye without a user’s explicit permission.
Now we know it’s not just Zoom that contained this sketchy code, but also products that had white-labelled Zoom’s software – including RingCentral, Telus Meetings, AT&T Video Meetings, and Zhumu.
Apple doesn’t make a habit of pushing out silent emergency updates, but clearly felt it was important enough in this situation.
For most Mac users I think automatic updates are a good thing, but if you really don’t like the idea of Apple installing an security update without your authorisation you can go into your system preferences and uncheck “Install system data files and security updates.”
I bet the programmers at Apple would be happier working on other projects than cleaning up another company’s mess.
For more discussion of the Zoom flaw, listen to this edition of the “Smashing Security” podcast: