Apple pushes out another silent update to address flaws in RingCentral and other video conferencing apps

More vulnerable video conferencing apps silently patched by Apple

It turns out it wasn’t just users of the Zoom video conferencing app who were at risk of having their webcam hijacked.

A week after Zoom admitted it had handled the discovery of a privacy vulnerability its software poorly, and Apple pushed out a silent update to neutralise some of Zoom’s most outrageous behaviour, Mac users have received a further security update that protects against the same Zoom vulnerability in other video conferencing apps.

The apps, as listed by security researcher Karan Lyons, are all apps that have licensed Zoom’s technology and – like Zoom – created a localhost webserver on Macs that allowed the software to be reinstalled without explicit permission from users.

Sign up to our free newsletter.
Security news, advice, and tips.

As I described when the security violation first came to light, it’s bad enough that users could be tricked into unexpectedly entering a video call but in some ways even worse than Zoom felt it had the right to install its software onto users’s Macs without their explicit permission.

That doesn’t just suck, it’s downright rude. I want to control whose apps get installed on my computer. A typical Mac user would believe that dragging the Zoom app into the trash can would uninstall the app, not leave behind code that can reinstall the app in the blink of an eye without a user’s explicit permission.

Now we know it’s not just Zoom that contained this sketchy code, but also products that had white-labelled Zoom’s software – including RingCentral, Telus Meetings, AT&T Video Meetings, and Zhumu.

Apple doesn’t make a habit of pushing out silent emergency updates, but clearly felt it was important enough in this situation.

For most Mac users I think automatic updates are a good thing, but if you really don’t like the idea of Apple installing an security update without your authorisation you can go into your system preferences and uncheck “Install system data files and security updates.”

Macos system update preferences

I bet the programmers at Apple would be happier working on other projects than cleaning up another company’s mess.

For more discussion of the Zoom flaw, listen to this edition of the “Smashing Security” podcast:

Smashing Security #136: 'Oops, we created Iran's hacking exploit'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.