Wednesday, July 17, 2019

Apple Pushes silently another macOS update to fix Webcam Vulnerability

Almost a week ago, Apple had to release a quiet update to macOS to address some secondary and potentially dangerous software related to the video conferencing app, Zoom. And now the company is doing the same for that company’s partner apps.

As noted previously, simply removing the apps will not fix the vulnerability. The secondary web server will not be removed even if the software vendors fix the issue. The dire situation seems to have forced Apple to take the matters into their own hands and automatically delete the software from the macOS web servers.

The Zoom vulnerability came to light last week and Apple had pushed a silent update to remove the webserver. This time around Apple has issued yet another silent update to remove RingCentral and Zhumu. The update is completely autonomous and doesn’t need intervention. Yesterday, RingCentral and Zhumu, video conferencing apps that use Zoom’s code were found to have installed their own webservers. The makers of video conferencing app install software on webservers to allow users to join meetings with one click.

Apple will be fixing the issue with all of Zoom’s partner apps.

The core issue stems from a change Zoom made to its video conferencing software to work around a security update Apple had made to Safari. Safari was recently updated in such a way that it required user approval to open up a third-party app, every time, and Zoom wanted to keep users from having to deal with that extra click. That required installing a web server that listened for calls to open up Zoom conferences. Combine that with the fact that it was common and easy for Zoom users to have their default set to have video on when joining a call, and it became possible for a malicious website with an iframe to open up a video call on your Mac with the camera on.
Even when users uninstall the video conferencing app, it lives on the web servers. Apple may have to issue many such updates since other apps using Zoom’s code are likely to be affected by the webcam vulnerability. The company usually issues silent updates to weed out malware, however, this is the first time it has stepped in to fix a flaw caused by a third-party app.

The update will be out today..



Post a Comment