Apple Pushes Automatic Mac Software Update to Remove Vulnerable Zoom Web Server

[NickName99]

This is way more minor than was initially implied by the article.

From TechCrunch:
“Apple's update causes Zoom users who click on a conference link to receive a prompt requiring them to confirm they want to join.”

 

[ipponrg]

This is 100% Zoom's fault not Apple. Zoom decided that they knew better than Apple and bypassed their safeguards to save their users a click. It was completely irresponsible. It really pisses me off that they would do this! GoToMeeting will be getting my money in the future!
[doublepost=1562817349][/doublepost]
I believe people should vote with their wallet and go somewhere else... but they probably will forget about this tomorrow. I feel like people don't realize how big of no-no this was. Zoom deliberately made a really poor choice.

Few lessons learned here:
1. Don't publicly broadcast anything unique to your account.
2. Log out of your computer when you are away.
3. Don't click on random conference links without knowing who you're joining.

Common sense is uncommon even in the tech community. Glad Zoom decided to stop their web server and please those who felt they were affected.

 

[Feenician]

This is way more minor than was initially implied by the article.

From TechCrunch:
“Apple's update causes Zoom users who click on a conference link to receive a prompt requiring them to confirm they want to join.”

Right. In addition to being timely and effective, this Xprotect update was also surgical. It didn't just nuke Zoom, it just disabled the webserver it spun up to get around this security feature.

 

[EnderBeta]

Nice job Apple! Shame on you Zoom! I had to use Zoom for work for over two years and to think that they breached my trust in that regard is unfathomable. I will avoid Zoom like the plague.

 

[ghanwani]

Who cares about things like security and privacy anyway? As long as the company is giving away stuff for free, all is good. Please monitor all my activity 24/7.

(For the record, I’m being facetious. But there are people who actually think that way.)

 

[inkswamp]

Apple app aproval process fail.

Macfacts research fail.

 

[Doctor Q]

It doesn't matter what excuses Zoom gives or how they patch or change the product. We've deleted it and will not use their product again.

 

[konqerror]

Who cares about things like security and privacy anyway? As long as the company is giving away stuff for free, all is good. Please monitor all my activity 24/7.

(For the record, I’m being facetious. But there are people who actually think that way.)

Zoom isn't free for any practical use. There's no ads. List price for companies is $20/month/user.

 

[kyeblue]

Too bad that I used Zoom a couple of times of video conference. There is absolutely no defense that they intentionally left a hidden webserver on users computer after uninstall. I will avoid Zoom as much as possible.

 

[Feenician]

It doesn't matter what excuses Zoom gives or how they patch or change the product. We've deleted it and will not use their product again.

Unfortunately I don't have that luxury. One of our most important clients has it as their corporate conference solution. While I typically invite their technical teams to our Webex, "sorry, your conference platform is a liability" is not an option when a C or D level invites me. The moves from Apple and Zoom over the last couple of days are at least a step in the right direction.

 

[simonmet]

Never heard of Zoom. Who on Earth wants auto-answering anyway!

It’s wise to be wary of any app that requests administrator authentication in order to install. There are of course valid reasons to need it (such as installing fonts) but it can be abused. Very few apps actually need that always keep an eye out for any launch daemons and background processes in particular, but this is above the level of most casual users.

 

[aevan]

If I didn’t trust Apple as much as I do, this kind of power would make me uncomfortable. They’re truly the benevolent dictator of their ecosystem.

Apple was always like that, but Apple is the wrong side to be distrustful of in this case.

 

[czoli]

Yes. Well done Apple. Very well done.

This is a disaster for Zoom. They had one of the best brands in the comms space, and they are destroying it with this “feature”’ which makes Macs vulnerable and then trying to pass this off like it’s no big deal. It’s breathtaking how tone deaf they are.

It’s despicable, and Zoom better act fast before they are dead to enterprises. No CIO/CTO will risk their career because a vendor has a slightly easier user experience.

This is company destroying stupidity and Zoom better act while they still can. Otherwise, they will be a business school case study of what not to do in a crisis.

Nothing new, things like this happen every now and then to every vendor, nothing dramatic.

 

[konqerror]

Unfortunately I don't have that luxury. One of our most important clients has it as their corporate conference solution.

Zoom has a pretty full-functioned web browser mode. It's quite advanced, it goes beyond WebRTC and uses WebAssembly and WebSockets: https://support.zoom.us/hc/en-us/articles/214629443-Zoom-Web-Client

 

[czoli]

Never heard of Zoom. Who on Earth wants auto-answering anyway!

It’s wise to be wary of any app that requests administrator authentication in order to install. There are of course valid reasons to need it (such as installing fonts) but it can be abused. Very few apps actually need that always keep an eye out for any launch daemons and background processes in particular, but this is above the level of most casual users.

Zoom is number one in cloud conferencing and growing at light speed.
Easy to use, customers love it, good quality.

Statistically speaking almost nobody would enable auto answer on his mac or pc with an application like so the problem pretty much does not exist on the field.

 

[Feenician]

Zoom has a pretty full-functioned web browser mode. It's quite advanced, it goes beyond WebRTC and uses WebAssembly and WebSockets: https://support.zoom.us/hc/en-us/articles/214629443-Zoom-Web-Client

I've read that over the course if this fiasco. I downloaded the application previously because I've had bad experiences with Webex and Skype browser experiences. Inconsistent audio, video and especially screen-sharing experiences led me to just install the apps. I think I may reassess and try falling back to Safari for all these and see how I get on.

 

[ghanwani]

Zoom has a pretty full-functioned web browser mode. It's quite advanced, it goes beyond WebRTC and uses WebAssembly and WebSockets: https://support.zoom.us/hc/en-us/articles/214629443-Zoom-Web-Client

Didn’t work for me. I couldn’t get it to share my desktop and I couldn’t get presentation mode to work when sharing ppt. Because if that I installed the app and then everything worked fine.

 

[entropys]

I've read that over the course if this fiasco. I downloaded the application previously because I've had bad experiences with Webex and Skype browser experiences. Inconsistent audio, video and especially screen-sharing experiences led me to just install the apps. I think I may reassess and try falling back to Safari for all these and see how I get on.

Functionally and visually, I have found Zoom is superior to webex and Skype. This issue though makes me want to remove it and end my licence. I assume it is doing the same thing in windows 10?

 

[derek]

Apple's 'silent macOS update' was auto-installed on July 10th in the form of MRT v1.45 (Malware Removal Tool). You can verify its installation as follows:
1) Open up 'About This Mac'.
2) Click 'System Report...'
3) Click 'Software/Installations' and wait until the list is collected.
4) Scroll down the alphabetic listing to "MRTConfigData". At the bottom of the list of MRT update installations, you should see version 1.45 dated 7/10/19.

 

[Makosuke]

Big thank-you to Apple on this--treating this Zoom "feature" as the malware it is, and using OSX's built-in antimalware functionality to disable it is the exact right move.

This whole fiasco is tremendously disappointing to me, because we do a lot of teleconferencing at work, and of the Zoom-Webex-GoToMeeting trio that I see by far most frequently among businesses we associate with, Zoom is far and away the best. It's easier to use, has a much better UI, better sharing and conferencing features, a better iOS app, and much better audio quality. I enjoy hosting Zoom meetings compared to Webex, which always feels clunky and uncomfortable (not to mention I can never understand anybody due to garbage audio quality).

All of which becomes a moot point when the company is installing malware on users' systems, avoiding even the most flimsy security patch until the last possible moment, and then calling it a "feature" when called out.

What particularly worries me is that the larger org that we're under has a Zoom contract, but our project partners are probably not going to feel comfortable accepting meeting invites from us now, or refuse to do anything but use a call-in number. It's entirely possible some of their IT departments won't even allow them to run Zoom (one already didn't), so it won't even be an option. If the org doesn't ditch Zoom in favor of a different provider, it may genuinely affect our ability to host meetings.

 

[derek]

This isn’t a software update as far as I can tell. They just sent a string of text telling the system not to run this garbage that’s it. Apple doesn’t just send out silent updates.

Incorrect. Apple sends out regular updates to its XProtect system. Part of XProtect is Apples Malware Removal Tool, MRT. I posted a comment in the thread about how to verify your system has been updated with MRT v1.49, which IS the specific 'silent macOS update'.
[doublepost=1562829839][/doublepost]

This is absolutely not what XProtect is - what is updated is a list of application definitions that the previous quarantine system can use to prevent malicious software from running. There is literally no code being installed in this process.

Well, technically what's installed is script code understood by Apple's MRT.app (Malware Removal Tool). The update is in the form of 'MRTConfigData' used by the MRT.app. If you dig around in your Mac's System directory, you'll find the MRT.app, which is part of the XProtect system.

/System/Library/CoreServices/MRT.app

I posted in this thread how to verify you have the update installed, specifically MRTConfigData v1.45.

 

[derek]

So, Apple can install an update (essentially any code) without user's approval or notification? Not good.

Nope! See my comments about the MRT v1.45 update that is the 'silent macOS update'. It's script code used by the MRT.app (Malware Removal Tool). That's all it is. MRTConfigData updates are plentiful and all 'silent'. The fact is that ASAP security updates are the state of the art. Be glad Apple isn't like Microsoft and Adobe who still live in the 20th century with their [expletive withheld] 'second Tuesday of the month' lag in security updates. That's a bad thing.

 

[Mike MA]

You can spin this negatively till you want. For me this still is something that makes Apple different in terms of security and privacy efforts.

 

[SeaFox]

This is absolutely not what XProtect is - what is updated is a list of application definitions that the previous quarantine system can use to prevent malicious software from running. There is literally no code being installed in this process.

We apologize. What we meant to say was "Apple can remotely block a piece of software from being run on a Macintosh computer (essentially dictating what you're allowed to do with your own computer)? Not good."

 

[Sharewaredemon]

So, Apple can install an update (essentially any code) without user's approval or notification? Not good.

They own the software that runs on your hardware, not you. You agree to terms to be able to use it.
I'm sure silent updates are within the terms, so you allow it.
You are free to not use any technology whatsoever if you wish.
Tech is crap, all of it, even the best, is crap.
Nothing is going to change that in our current paradigm.