Apple released a second security update to fix further Zoom-related vulnerabilities on macOS, The Verge reported.
The company removed software which was automatically installed by Zoom’s partners – RingCentral and Zhumu. Earlier this week, these two video conferencing applications were found to have the same vulnerabilities as Zoom.
RingCentral and Zhumu installed software capable of responding to commands that could potentially allow websites to open up your webcam during a video conference without your permission. Removing the two applications did not remove the secondary software that was vulnerable to exploitation, which is the way Zoom worked.
Last week, researchers announced a vulnerability that allows a website to forcibly start a video call on a Mac, due to a web server installed by Zoom in the background.
When the vulnerability was first found, Zoom explained that it used a local web server as a workaround to Safari changes introduced by Apple in Safari 12, calling it a “legitimate solution” to an otherwise “poor user experience” letting users access “seamless, one-click-to-join meetings.”
Due to security reasons, Apple implemented to require user approval when launching a third-party application, which Zoom wanted to avoid. Thus, Zoom used the aforementioned web server that was created to wait for calls to open up Zoom conferences automatically.
Despite the fact that Zoom released a patch to address the vulnerability, Apple decided to remove the web server software which was not initially removed from the Mac when uninstalling the Zoom application.
Apple seeded its first silent patch to remove Zoom’s extra software on July 10th, and the update from yesterday is an important part of the same mitigation.
Installing Zoom on macOS no longer installs a local web server on Mac devices, and adds a new setting to save the “Always turn off my video” preference which disables video in Zoom by default until it’s manually enabled. At the same time, the new patch for RingCentral and Zhumu is deployed automatically, so users don’t need to apply it manually.
According to The Verge, Apple plans to fix the vulnerability for all of Zoom’s partner applications.