24 votes

Apple pushes a silent Mac update to forcibly remove hidden Zoom web server

12 comments

  1. [7]
    emdash Link
    If this isn't effectively an indictment of what Apple thinks about Zoom's practices here, I don't know what else to say to you. These sorts of patches are usually reserved for malware and other...

    If this isn't effectively an indictment of what Apple thinks about Zoom's practices here, I don't know what else to say to you. These sorts of patches are usually reserved for malware and other malicious software.

    14 votes
    1. [4]
      Deimos Link Parent
      It's been really interesting to see how quickly the original Zoom response of "there's nothing wrong with this, everybody does it" ended up being reversed. I wonder if there's a known exploit for...

      It's been really interesting to see how quickly the original Zoom response of "there's nothing wrong with this, everybody does it" ended up being reversed.

      I wonder if there's a known exploit for the Zoom server specifically, or if Apple discovered one while looking into it. It seems strange for them to go to these lengths in this case when it sounds like other software has been using a similar technique too. Maybe it's just the reinstallation aspect that makes Zoom's case exceptional?

      10 votes
      1. [2]
        emdash Link Parent
        At the very least, Zoom's decision to leave not just files in place on disk post-uninstall, but a running web server, definitely violates Apple's guidelines around application tidiness. There's an...

        At the very least, Zoom's decision to leave not just files in place on disk post-uninstall, but a running web server, definitely violates Apple's guidelines around application tidiness. There's an expectation that if an app is dragged from Finder to Trash, it should leave the system in a state similar to how it was before installation, sans the occasional preference file.

        Sadly, nearly all big companies don't follow these guidelines. Microsoft & Adobe are particularly bad.

        Also of note: I did a double take when I read your comment here, Deimos. I'd immediately come from the HN thread where you are currently the top comment :P.

        10 votes
        1. Deimos Link Parent
          Haha yeah, I wrote the comment here in reply to you, then copy-pasted it over to HN and a few minutes later I realized that I never actually clicked the button to post it here.

          Haha yeah, I wrote the comment here in reply to you, then copy-pasted it over to HN and a few minutes later I realized that I never actually clicked the button to post it here.

          7 votes
      2. ReapersGale Link Parent
        Reading Leitschuh's writeup it could have been combined with CVE-2018-15715 for some degree of nastiness. CVE-2018-15715 was patched back in November 2018 (version 4.1.34475.1105) but looking at...

        Reading Leitschuh's writeup it could have been combined with CVE-2018-15715 for some degree of nastiness.

        I read about the Tenable Remote Code Execution in Zoom security vulnerability which was only patched within the last 6 months. Had the Tenable vulnerability been combined with this vulnerability it would have allowed RCE against any computer with the Zoom Mac client installed. If a similar future vulnerability were to be found, it would allow any website on the internet to achieve RCE on the user’s machine.

        CVE-2018-15715 was patched back in November 2018 (version 4.1.34475.1105) but looking at Zooms release notes it's a 'manual update' and folk tend to be behind on (or bad at) keeping things patched.

        2 votes
    2. JXM Link Parent
      I would say that Zoom’s installation of a web server does count as malicious software.

      I would say that Zoom’s installation of a web server does count as malicious software.

      5 votes
    3. NaraVara Link Parent
      I have a hard time justifying how Zoom wasn't malware if it's literally running a web server on your computer in secret.

      These sorts of patches are usually reserved for malware and other malicious software.

      I have a hard time justifying how Zoom wasn't malware if it's literally running a web server on your computer in secret.

      1 vote
  2. [5]
    HanakoIsBestGirl Link
    So proprietary software that betrays its users being used to fight proprietary software that betrays its users... interesting...

    So proprietary software that betrays its users being used to fight proprietary software that betrays its users... interesting...

    2 votes
    1. [4]
      apoctr Link Parent
      I can't particularly think of any times that Apple/MacOS has betrayed its users, though?

      I can't particularly think of any times that Apple/MacOS has betrayed its users, though?

      8 votes
      1. [3]
        HanakoIsBestGirl Link Parent
        Off the top of my head preventing jailbreaks on ios using proprietary formats like PAGES to lock documents to their ecosystem forcing updates without user consent (as they have just done)...

        Off the top of my head

        • preventing jailbreaks on ios

        • using proprietary formats like PAGES to lock documents to their ecosystem

        • forcing updates without user consent (as they have just done)

        • dissallowing downgrades to previous os versions or previous versions of apps

        • DRM on iTunes

        • making installing apps from places other than the app store a pain on ios

        • proprietary charging ports (although there is some USB c now)

        1 vote
        1. [2]
          apoctr Link Parent
          I think the reason for my confusion was you're using a very liberal definition of betray.

          I think the reason for my confusion was you're using a very liberal definition of betray.

          1 vote
          1. HanakoIsBestGirl Link Parent
            Yeah perhaps. I define it as not acting in the users best interest. Or not how the user wants it to. Or restricting them in an unneeded manner.

            Yeah perhaps. I define it as not acting in the users best interest. Or not how the user wants it to. Or restricting them in an unneeded manner.