Apple quietly removes Zoom’s hidden web server from Macs

In an embarrassing twist to the week-long saga of Zoom’s vulnerable web-conferencing app, Apple has issued a ‘silent’ update that automatically removes the software’s hidden web server from Macs.

Zoom released its own fix doing the same thing a day earlier, on 9 July 2019, but Apple remained unconvinced that this protected users who had either not updated their software or had deleted it before the company took this action.

Removing something hidden from a platform like Apple’s isn’t a good look, and to add insult to injury, according to Apple expert Patrick Wardle, the removal was carried out using the macOS Malware Removal Tool (MRT).

Zoom later said it had worked with Apple to “test” the removal update, although to some people that will sound like a face-saving statement of the obvious.

Rinse and repeat

It’s fair to say, then, that last week was not a good one for anyone working at Zoom, whose web conferencing software boasts of having more than four million users across desktop and mobile platforms, including Windows (some of whose users are also affected).

The timeline of the vulnerabilities uncovered in Zoom, and the company’s response to it, have become rather confusing since news of the issue was made public on 8 July 2019 by researcher Jonathan Leitschuh.

Naked Security has already covered much of this in an earlier story, including some basic mitigation against it.

We’ll summarise the increasingly confusing story since that coverage by noting that the vulnerabilities have now generated three advisories:

  • CVE-2019-13449 (the original denial-of service flaw),
  • CVE-2019-13450 (webcam takeover, unpatched but mitigated by removing the web server described above), and
  • CVE-2019-13567 (a proof-of-concept making possible Remote Code Execution).

The first and third issues should be fixed by updating to Zoom client version 4.4.2 on macOS (the software is also re-branded by RingCentral, in which case it’s version 7.0.136380.0312).

The aftermath

Applications are afflicted with security problems all the time, but the account offered by Leitschuh of his attempts to get the company’s attention when he first discovered the issue in March 2019 doesn’t read well.

First, it took him weeks to get a response before he says the company offered him a bug bounty on the condition he didn’t publicly disclose the problem.

After some toing-and-froing and the expiration of Leitschuh’s 90-day disclosure, a ‘fix’ was issued that turned out to have a workaround, at which point he made the flaws public.

Tweeted Leitschuh on 8 July 2019:

Zoom responded in a statement, admitting that its website “doesn’t provide clear information for reporting security concerns,” and announcing imminent plans to launch a public bug bounty program.

It also painted a less tardy picture of its response to the flaws, without fully explaining why its engineers took the arguably risky step of running a local web server with an undocumented API in the first place.

For his part, Leitschuh recommends reporting flaws via third-party bug bounty programs rather than via Zoom’s. Either way, with researchers all over its software like a rash, Zoom has a job on its hands to restore trust.