Apple rolls out its own fix for Zoom zero-day
The exploit allowed websites to forcibly activate a user's webcam


Following backlash against Zoom's Mac vulnerability on Monday, Apple has rolled out a silent update that removes a web server that allowed websites to automatically launch a conference call and activate a user's webcam.
The move follows Zoom's own update to its client on Tuesday, which also removed the web server from Mac systems for those that chose to keep the software installed.
Apple's update serves those users who have, like a number of IT Pro writers, deleted Zoom from their systems following Monday's news.
Apple told TechCrunch that the update requires no user intervention and is deployed automatically. However, following our own testing, IT Pro can confirm that the vulnerability is still exploitable for those users who have yet to restart their system.
Despite both companies releasing updates for the issue, Tod Beardsley, research director at cybersecurity firm Rapid7 told IT Pro that the Zoom vulnerability was 'overblown'.
"I'm not entirely certain this is a bug in Zoom," he said. "For starters, there's a (non-default) configuration setting that seems to totally mitigate this issue: In the Mac OS client, go to zoom.us > Preferences > Video > "Turn off my video when joining meeting".
"Since this is already my personal default, I was confused as to why the original proof of concept wasn't working for me (I finally figured it out this morning)," he added. "At any rate, given the existence of this mitigation, the bug actually seems to be down in the browser, not the Zoom client, where CORS policies aren't enforced for localhost domains."
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
There is an issue with this criticism which lies in that the default setting in Zoom is to have automatic webcam enablement - it's a feature of the client most people appreciate as it makes joining a conference call more seamless.
When users click on a Zoom link, they expect to be thrown into a conference call, and it's therefore unlikely that users will take the time to change this default setting.
09/07/2019: Major zero-day privacy vulnerability found in Zoom for Mac
A serious zero-day vulnerability has been discovered in the hugely popular video conferencing and meetings application Zoom, which allows websites to forcibly activate a Mac user's camera without their intervention.
The vulnerability leverages a localhost web server that's installed alongside any Zoom installation and remains on a user's computer even after uninstalling the app. The web server also has the power to re-install Zoom on a user's system without their permission.
Jonathan Leitschuh, the researcher who discovered and provided proof of concept for the vulnerability said this web server will accept requests other browsers wouldn't.
The vulnerability exploits Zoom's feature where users can simply send others a customised link so they can join a conference call. When users have a setting enabled which allows Zoom to automatically activate a user's camera when joining a call, websites can abuse this custom link feature by inputting a Zoom conference link as an

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
LaunchDarkly to "double down" on observability with Highlight acquisition
News Highlight's observability tools will be integrated into LaunchDarkly's Guarded Releases software deployment service
By Daniel Todd
-
Samsung Galaxy Tab S10 FE review
Reviews The Tab S10 FE retains the feel and core capabilities of Samsung's high-end S10 tablets, but compromises on the display and the performance
By Stuart Andrews
-
The threat prevention buyer's guide
Whitepaper Find the best advanced and file-based threat protection solution for you
By ITPro
-
Supply chain as kill chain
Whitepaper Security in the era Zero Trust
By ITPro
-
Microsoft under fire for “negligent” security practices in scathing critique by industry exec
News Microsoft took more than 90 days to issue a partial fix for a critical Azure vulnerability, researchers found
By Ross Kelly
-
Apple patches zero day linked to spyware campaign
News Kaspersky researchers were the first to report a zero day used in a sophisticated attack chain
By Rory Bathgate
-
Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week
News Fresh research demonstrates the sophistication and capability of state-sponsored threat actors to compromise diverse targets
By Richard Speed
-
MOVEit cyber attack: Cl0p sparks speculation that it’s lost control of hack
News The hackers return with their second major data-extortion attack of 2023, but may have bitten off more than they can chew
By Connor Jones
-
Microsoft says it knows who was behind cyber attacks on MOVEit Transfer
Dozens of organizations may have already lost data to hackers exploiting the critical flaw
By Rory Bathgate
-
Trend Micro security predictions for 2023
Whitepaper Prioritise cyber security strategies on capabilities rather than costs
By ITPro