In an embarrassing twist to the week-long saga of Zoom’s vulnerable web-conferencing app, Apple has issued a ‘silent’ update that automatically removes the software’s hidden web server from Macs.

Zoom released its own fix doing the same thing a day earlier, on 9 July 2019, but Apple remained unconvinced that this protected users who had either not updated their software or had deleted it before the company took this action.

Removing something hidden from a platform like Apple’s isn’t a good look, and to add insult to injury, according to Apple expert Patrick Wardle, the removal was carried out using the macOS Malware Removal Tool (MRT).

Zoom later said it had worked with Apple to “test” the removal update, although to some people that will sound like a face-saving statement of the obvious.

Rinse and repeat

It’s fair to say, then, that last week was not a good one for anyone working at Zoom, whose web conferencing software boasts of having more than four million users across desktop and mobile platforms, including Windows (some of whose users are also affected).

The timeline of the vulnerabilities uncovered in Zoom, and the company’s response to it, have become rather confusing since news of the issue was made public on 8 July 2019 by researcher Jonathan Leitschuh.

Naked Security has already covered much of this in an earlier story, including some basic mitigation against it.

We’ll summarise the increasingly confusing story since that coverage by noting that the vulnerabilities have now generated three advisories:

  • CVE-2019-13449 (the original denial-of service flaw),
  • CVE-2019-13567 (webcam takeover, unpatched but mitigated by removing the web server described above), and
  • CVE-2019-13567 (a proof-of-concept making possible Remote Code Execution).

The first and third issues should be fixed by updating to Zoom client version 4.4.2 on macOS (the software is also re-branded by RingCentral, in which case it’s version 7.0.136380.0312).