Following backlash against Zoom's Mac vulnerability on Monday, Apple has rolled out a silent update that removes a web server that allowed websites to automatically launch a conference call and activate a user's webcam.
The move follows Zoom's own update to its client on Tuesday, which also removed the web server from Mac systems for those that chose to keep the software installed.
Apple's update serves those users who have, like a number of IT Pro writers, deleted Zoom from their systems following Monday's news.
Apple told TechCrunch that the update requires no user intervention and is deployed automatically. However, following our own testing, IT Pro can confirm that the vulnerability is still exploitable for those users who have yet to restart their system.
Despite both companies releasing updates for the issue, Tod Beardsley, research director at cybersecurity firm Rapid7 told IT Pro that the Zoom vulnerability was 'overblown'.
"I'm not entirely certain this is a bug in Zoom," he said. "For starters, there's a (non-default) configuration setting that seems to totally mitigate this issue: In the Mac OS client, go to zoom.us > Preferences > Video > "Turn off my video when joining meeting".
"Since this is already my personal default, I was confused as to why the original proof of concept wasn't working for me (I finally figured it out this morning)," he added. "At any rate, given the existence of this mitigation, the bug actually seems to be down in the browser, not the Zoom client, where CORS policies aren't enforced for localhost domains."
There is an issue with this criticism which lies in that the default setting in Zoom is to have automatic webcam enablement - it's a feature of the client most people appreciate as it makes joining a conference call more seamless.
When users click on a Zoom link, they expect to be thrown into a conference call, and it's therefore unlikely that users will take the time to change this default setting.
09/07/2019: Major zero-day privacy vulnerability found in Zoom for Mac
A serious zero-day vulnerability has been discovered in the hugely popular video conferencing and meetings application Zoom, which allows websites to forcibly activate a Mac user's camera without their intervention.
The vulnerability leverages a localhost web server that's installed alongside any Zoom installation and remains on a user's computer even after uninstalling the app. The web server also has the power to re-install Zoom on a user's system without their permission.
Jonathan Leitschuh, the researcher who discovered and provided proof of concept for the vulnerability said this web server will accept requests other browsers wouldn't.
The vulnerability exploits Zoom's feature where users can simply send others a customised link so they can join a conference call. When users have a setting enabled which allows Zoom to automatically activate a user's camera when joining a call, websites can abuse this custom link feature by inputting a Zoom conference link as an
