Apple informed us that it has sent out a silent security update to Macs to remove software that was automatically installed by RingCentral and Zhumu. These video conferencing apps both used technology from Zoom — they’re essentially white labels — and thus they also had Zoom’s security flaws. Specifically, they installed secondary pieces of software that could take commands from websites to open up your webcam in a video conference without your intervention.
Even uninstalling those apps wouldn’t remove that secondary web server, which would mean that many users wouldn’t get the software vendors’ updates fixing the issue. That means Apple is best positioned to remove the offending software, and it is. Apple intends to fix the issue for all of Zoom’s partner apps.
Yesterday, these additional issues arose from further research into Zoom’s partner apps, but the larger problem of Zoom installing a secondary web server that could potentially be insecure began with a zero-day disclosure on July 8th. Since then, Zoom itself has been scrambling to come to the right solution for users — including an about-face on whether such an update was even necessary in the first place.
It ultimately decided that it was worth the update, but couldn’t remove software for users that had uninstalled its main app, which is why Apple had to step in. Apple issued its first silent patch to remove Zoom’s extra software on July 10th, and today’s update is essentially part of the same mitigation.
The core issue stems from a change Zoom made to its video conferencing software to work around a security update Apple had made to Safari. Safari was recently updated in such a way that it required user approval to open up a third-party app, every time, and Zoom wanted to keep users from having to deal with that extra click. That required installing a web server that listened for calls to open up Zoom conferences. Combine that with the fact that it was common and easy for Zoom users to have their default set to have video on when joining a call, and it became possible for a malicious website with an iframe to open up a video call on your Mac with the camera on.