Skip to main content

Apple rolls out a silent Mac update that removes Zoom’s local web server

sotck photo of Macbook Pro
Craig Adderley/Pexels

A security researcher recently discovered that the Zoom app has a pretty troubling security flaw for those who use the app on Macs. According to a Medium post published on Monday, July 8, by security researcher Jonathan Leitschuh, the Mac version of the Zoom app has a vulnerability that lets websites launch video calls (and turn on your webcam) without your permission.

But as of Wednesday, July 10, Apple decided to address Zoom’s security issue with a solution of its own: A silent Mac update that removes a problematic localhost web server that comes with the Mac version of the popular video conferencing app, TechCrunch reports.

Recommended Videos

Zoom is well-known and used by countless companies precisely because of its ease of use. (Users can join video calls with just a shared link and a click.) But it turns out that that particular easy-to-use feature is the source of the vulnerability. According to Leitschuh’s post, the installation of the Zoom client for Mac doesn’t just come with the video calling app itself; it also comes with a localhost web server that is also installed. This local server is what allows Mac users to have one-click access to a Zoom video call. But as Leitschuh notes, the local server feature “really hadn’t been implemented securely.”

In fact, the server is so vulnerable that it allows other, potentially malicious websites, access to Mac webcams to “forcibly join a user to a Zoom call” and turn on their webcams without permission. In addition, the server’s security flaw (for older versions of Zoom) also would have let websites complete a DoS (Denial of Service) attack on Macs “by repeatedly joining a user to an invalid call.” Leitschuh also noted that the DoS security flaw was patched in version 4.4.2 of the Zoom client.

Users can’t just uninstall Zoom to fix the problem either. Leitschuh’s report also mentioned that the local web server stays on your Mac even after uninstalling Zoom. Plus, that server can still reinstall Zoom without your permission. And it appears, at least according to Leitschuh’s version of events, that Zoom, while aware of the flaw, hadn’t fully fixed the security issue at the time.

Zoom initially said it wouldn’t fix the issue, but eventually said it would release a patch Tuesday that would eliminate the bug, according to Wired.

Despite Zoom’s newly released patch, Apple has now provided its own fix for Zoom’s webcam security issue. According to TechCrunch, the (automatic) silent Mac update is expected to remove the local server that had been installed along with Zoom’s video conferencing app. The silent update will also contain a feature that asks Mac users if they want to open the Zoom app, instead of just opening the app automatically.

Apple shed a little light on the reasoning behind the creation of this silent Mac update and telling TechCrunch that the update was intended to help protect past and present users of the Zoom app for Mac from the app’s vulnerability while preserving the functionality of the app.

Updated on July 11, 2019: Apple released a Mac update that removes Zoom’s local web server.

Anita George
Anita George has been writing for Digital Trends' Computing section since 2018. So for almost six years, Anita has written…
Apple October Mac launch: everything we expect to be announced next week
Apple's Craig Federighi introduces window tiling in macOS Sequoia at the Worldwide Developers Conference (WWDC) in 2024.

It's official. After an entire month of waiting, Apple has revealed that some Mac-related announcements are coming just next week. The exact timing of the announcements, along with what devices will be launched, however, are still yet to be confirmed.

That being said, the leaks and reporting on this launch have been fairly robust, so we have a fairly good idea of what could be in the works. Refreshing Macs with the M4 chip will be the focus of the event, but there may be a few more surprises too.
When will Apple launch its new devices?
https://twitter.com/gregjoz/status/1849484363165213148?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1849484363165213148%7Ctwgr%5E6e69ea2b057a7d389444839b9bc3c6940ddc52e7%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.digitaltrends.com%2Fcomputing%2Fapple-announcements-are-coming-on-monday%2F

Read more
Is Apple’s upcoming M4 Mac event still happening? I’m skeptical
Russian YouTuber Romancev768 with what is claimed to be a real M4 MacBook Pro unit.

Over the last few weeks, the endless stream of M4 MacBook Pro leaks has been almost inescapable. We’ve seen photos, unboxing videos, even M4 laptops reportedly going up for sale way ahead of time. Ye.t despite all that, there’s been one thing that has stopped me from fully believing that these leaks are legitimate -- despite a well-known reporter claiming that they’re authentic.

That’s because in all the leaks we’ve seen, the box of the M4 MacBook Pro has come with the same black-and-gray wallpaper that Apple used for its M3 line of MacBook Pros. It’s something that has bugged me ever since I first noticed it. But what if the use of an old wallpaper isn't proof that these leaks are fakes, but is actually a clue about what Apple is about to do next?
The wallpaper of it all

Read more
I’m worried Apple will skip its October event – here’s what that means for the M4 MacBook Pro
Apple CEO Tim Cook looks at a display of brand new redesigned MacBook Air laptop during the WWDC22

For months now, we’ve been hearing that Apple is set to announce a boatload of new products -- including the M4 MacBook Pro range, fresh iPads, and more -- at an event this October. Yet a new report suggests that things might not be quite so simple after all.

In his latest Power On newsletter, Bloomberg journalist Mark Gurman says that Apple is set to reveal these new products “around the end of October,” with the devices going on sale on Friday, November 1. So far, so expected.

Read more