He allowed to activate webcams and connect users to calls without their demand.
Apple has released a “silent” update for macOS users, which eliminates the Zoom vulnerability. The patch is installed automatically and removes the hidden web server application. This was reported by TechCrunch, citing representatives of Apple.
After installing the update, Zoom users will lose the opportunity to launch the application “in one click” on the link. Instead, the system will ask for their consent each time.
The patch does not require user action. It was released via the “ security updates ” channel, which are installed without a reboot in the background, unnoticed by computer owners.
Apple began releasing similar patches in 2014 to combat malware and critical bugs. However, the company rarely speaks out against third-party services.
Apparently, the update agreed to update with Zoom. A representative of Zoom in a conversation with TechCrunch noted that the service “was happy to work with Apple on testing the patch.”
The update was released despite its own Zoom patch, which also removes the web server from computers. Apple noted that it “will protect past and present users from an undocumented web server vulnerability, without affecting the functionality of Zoom.”
On July 8, cybersecurity researcher Jonathan Leitshukh spoke about the vulnerability in the Zoom video call service, which is used by more than four million people worldwide. The expert found out that together with the application a hidden server is installed on the computers under macOS, which interacts with the sites.
Thus, the service bypasses the limitations of browsers and allows you to start conversations without unnecessary actions – just click on the Zoom link on the Internet. However, at the same time, the server allows attackers to connect users to calls with enabled webcams without their knowledge.
In Zoom, they first defended their position and claimed that it saves users time and does not pose a threat. However, after publication in the media, the company changed its mind and released an emergency patch.