Apple Pushes Automatic Mac Software Update to Remove Vulnerable Zoom Web Server

[Shirasaki]

So, Apple can install an update (essentially any code) without user's approval or notification? Not good.

Your comment here reminds me of windows vista, which is pioneering “full user control over every single action” in the form of UAC. Now, we all know this ends badly against its reputation and windows 7 tones default UAC down quite a bit.

I used HIPS software before because it was pretty cool. Now, I don’t even bother installing additional antivirus on my windows 10 PC as I don’t care much about HIPS anymore. I instead rely on low privilege user and safe guard against online activities to protect myself from common online attacks.

This is 100% Zoom's fault not Apple. Zoom decided that they knew better than Apple and bypassed their safeguards to save their users a click. It was completely irresponsible. It really pisses me off that they would do this! GoToMeeting will be getting my money in the future!
[doublepost=1562817349][/doublepost]
I believe people should vote with their wallet and go somewhere else... but they probably will forget about this tomorrow. I feel like people don't realize how big of no-no this was. Zoom deliberately made a really poor choice.

Zoom is probably just a bit ahead of themselves, and they failed to put themselves in control.
I hate to say that but maybe in the future, GoToMeeting will have the same scandal like what Zoom has today. And, instead of “maybe” removing that hidden server, they will make the server even hard to find by users, keeping monitoring their customers non-stop.

 

[reserves]

Apple's 'silent macOS update' was auto-installed on July 10th in the form of MRT v1.45 (Malware Removal Tool). You can verify its installation as follows:
1) Open up 'About This Mac'.
2) Click 'System Report...'
3) Click 'Software/Installations' and wait until the list is collected.
4) Scroll down the alphabetic listing to "MRTConfigData". At the bottom of the list of MRT update installations, you should see version 1.45 dated 7/10/19.

Thanks, I don't have this update, and doesn't appear when I click 'Check for Updates'

I also have Zoom installed for work, details are pretty sketchy, is it not safe to use at all? Is it safe with this update?

Apple or Zoom need to post a clear guide.

 

[zapmymac]

**** Zoom. Didn’t use it, won’t now, or ever.

 

[reserves]

Does anyone have a guide to completely and safety remove Zoom?

 

[aime344]

Is it? I can't find the Zoom app in the Mac App Store. I think you have to download it from their website.

Apple didn't approve this app as it's not in the appstore, it requires each user's trust in order for it to be installed and used.

 

[Abazigal]

I'm not sure I'm comfortable with Apple pushing out silent updates. There should be an option to be notified about them (maybe there is and I'm not aware?). I do trust Apple, but I like to know what updates are coming my way.

I personally expect nothing less from Apple.

 

[derek]

They own the software that runs on your hardware, not you. You agree to terms to be able to use it.
I'm sure silent updates are within the terms, so you allow it.
You are free to not use any technology whatsoever if you wish.
Tech is crap, all of it, even the best, is crap.
Nothing is going to change that in our current paradigm.

Thus my frequent stating that we’re still living in The Dark Age Of Computing. One core problem is the lack of default security in our programming languages. When we no longer use C and it’s derivatives, we’ll know we’re making progress.

:-D

 

[derek]

Thanks, I don't have this update, and doesn't appear when I click 'Check for Updates'

I also have Zoom installed for work, details are pretty sketchy, is it not safe to use at all? Is it safe with this update?

Apple or Zoom need to post a clear guide.

Have a read of an article at MacOSDaily titled “How to Check XProtect Version in Mac OS”. It covers how to make sure you receive XProtect updates. There is a command for the Terminal to manually install XProtect updates, but start with your settings. (I’d post the article URL, but doing so typically sends posts into a black hole for the sake of protection from bots).

 

[chrfr]

Thanks, I don't have this update, and doesn't appear when I click 'Check for Updates'

I also have Zoom installed for work, details are pretty sketchy, is it not safe to use at all? Is it safe with this update?

Apple or Zoom need to post a clear guide.

You need to be sure that you've updated the Zoom client to the latest version. You should also check your software update settings to be sure that "Install system data files and security updates" is enabled. That's what allows the automatic update of Apple's anti-malware tools.

 

[MacMan988]

Mac app publishers should at least provide an uninstaller if their app is installing components all over the system.

 

[jay650sv]

Yes. Well done Apple. Very well done.

This is a disaster for Zoom. They had one of the best brands in the comms space, and they are destroying it with this “feature”’ which makes Macs vulnerable and then trying to pass this off like it’s no big deal. It’s breathtaking how tone deaf they are.
It’s despicable, and Zoom better act fast before they are dead to enterprises. No CIO/CTO will risk their career because a vendor has a slightly easier user experience.
This is company destroying stupidity and Zoom better act while they still can. Otherwise, they will be a business school case study of what not to do in a crisis.

How is this "despicable"??? Spotify, Keybase, KBFS, iTunes, Numi, Encrypt.me … All running locally listening web servers too. Plus, They are not "tone deaf" either: They already fixed it.

 

[Lalatoon]

I love it when Apple does this. They keep developers in check, like they did recently with Facebook. They also have a protection mechanism built into iOS that can remotely wipe rogue apps off every person’s device in the world. They’re the only company with the balls to do it and the security and privacy mindset to pull it off. May security and privacy forever be their #1 goal. Seriously, bless those beautiful engineers. They’re far from perfect, but among the best there is.

Your idea about security and privacy is very scary. You would blindly give all your trust regarding security and privacy to a company which you don't own or control. I think when it comes to security and privacy the last say should be from the end user. Whatever company claim about their security and privacy policy is, you should always take it with a grain of salt. In the world of security, there is what they called professional paranoia. Letting Apple "wipe rouge apps" off every persons device is not security, it's control. If that is how iOS/iPhone works, its just like you do not own your iPhone/iPad but Apple just lend it to you because anytime they want they can lock you out from it. You may think you own the hardware however what use will your hardware be if they can lock you out remotely anytime they want.

If I buy a phone or a computer in general, I want to own its hardware and software and use it how I see fit. That's why its called buying.

 

[halluxsinister]

This month it's Zoom. Next month it's someone else. To paraphrase John Adams, our principle should be to trust no man living with power. To believe otherwise - to believe that any particular party is capable of doing no wrong - is to be deluded, or worse.






Quite right. As much as I might appreciate Apple "looking out" for its users, I would much rather suffer the odds that something happens to my machine - I consider myself a rather intelligent person, anyhow - than be beholden to the mothership. As with our governments' security apparati, it may be benevolent for a time, but once the system is in place, all it takes is a proverbial "flip of the switch."

Trust no man with power.... so was Adams advocating rule by children? Or perhaps a gynopoly? Or was he anticipating the invention of AI and welcoming our robotic overlords centuries early?

Sorry, but someone has to be entrusted with a certain amount of power, which is the point of all those checks and balances we keep hearing about, where one official or body or agency checks (meaning halts) the power of another, or balances their attempts to abuse their authority by being able to prevent it indirectly, such as by withholding funding.

The power that we, the People exercise through our government, and such agencies within it as the FTC, the FCC, the SEC, and the CPB, or whatever, plus laws as Congress from time to time enacts, are the checks we have on Apple, and our willingness to stop buying Apple products if they abuse their power is a way in which we can balance their power with our own. It’s similar to how our government was set up with the hope of making trust possible, even beneficial. But if you think you’re pretty smart, and can manage this system you’ve bought all by your lonesome and don’t need the army of software engineers who, unlike you, have access to the source-code and documentation internal to Apple on how the closed-source, proprietary parts of their OS works, then more power to you.

I’m sure anyone who is pretty intelligent can do just as well, even without the benefit of being the people to whom security researchers and white-hat hackers report problems and security holes and flaws to. All those automated crash reports from millions or billions of computers and devices... who needs any of that stuff, right?

Apple should just axe their whole software team and hire a few guys from the internet who think of themselves as pretty smart or intelligent. Think of the savings and corresponding boost in profits that would generate!

LOL

 

[ipponrg]

Thanks, I don't have this update, and doesn't appear when I click 'Check for Updates'

I also have Zoom installed for work, details are pretty sketchy, is it not safe to use at all? Is it safe with this update?

Apple or Zoom need to post a clear guide.

It’s safe to use. You are completely paranoid like most people. Zoom has already released an update yesterday that removes the web server. I think the silent Mac update was more of a fail safe.

There are guides out there you can type in terminal to see if the web server is still installed. Bottom line is don’t click on random Zoom links in Safari.
[doublepost=1562847612][/doublepost]

Mac app publishers should at least provide an uninstaller if their app is installing components all over the system.

I think 3rd party app publishers need to be more transparent as to what is being installed on your system if it’s outside the default pkg.

 

[Timemaster]

Mac app publishers should at least provide an uninstaller if their app is installing components all over the system.

A lot do but the problem is that requires them to keep it up to date and making sure it always in sync. Things get missed.
Plus in terms of qa time at every company the uninstall feature is not going to be tested or looked at.
Why can’t Apple make sure everything is kept together and easier to it automatically.

 

[ipponrg]

Your idea about security and privacy is very scary. You would blindly give all your trust regarding security and privacy to a company which you don't own or control. I think when it comes to security and privacy the last say should be from the end user. Whatever company claim about their security and privacy policy is, you should always take it with a grain of salt. In the world of security, there is what they called professional paranoia. Letting Apple "wipe rouge apps" off every persons device is not security, it's control. If that is how iOS/iPhone works, its just like you do not own your iPhone/iPad but Apple just lend it to you because anytime they want they can lock you out from it. You may think you own the hardware however what use will your hardware be if they can lock you out remotely anytime they want.

If I buy a phone or a computer in general, I want to own its hardware and software and use it how I see fit. That's why its called buying.

People trust Apple more than themselves and understandably so. Apple has done a thorough job marketing their security messaging, so people are glad to hand over the keys here.

 

[EnderBeta]

Unfortunately I don't have that luxury. One of our most important clients has it as their corporate conference solution. While I typically invite their technical teams to our Webex, "sorry, your conference platform is a liability" is not an option when a C or D level invites me. The moves from Apple and Zoom over the last couple of days are at least a step in the right direction.

Run Zoom in a sandbox.

 

[Lalatoon]

People trust Apple more than themselves and understandably so. Apple has done a thorough job marketing their security messaging, so people are glad to hand over the keys here.

Thats quite true. Unfortunately, most end user (consumer) doesn't have the time to educate themselves regarding issues about security and privacy and how this issues may affect them both positively and negatively.

 

[reserves]

It’s safe to use. You are completely paranoid like most people. Zoom has already released an update yesterday that removes the web server. I think the silent Mac update was more of a fail safe.

I asked "Is it not safe to use at all? Is it safe with this update?"

How is asking if some software is safe to use "completely paranoid"?

Maybe take a break from the forums and get some fresh air.

 

[827538]

I’m already looking at moving the firm away from Zoom to Teams as I believe we are already paying for it.

Security is of the upmost priority. Very unhappy with Zoom.

 

[Doctor Q]

Have a read of an article at MacOSDaily titled “How to Check XProtect Version in Mac OS”. It covers how to make sure you receive XProtect updates. There is a command for the Terminal to manually install XProtect updates, but start with your settings. (I’d post the article URL, but doing so typically sends posts into a black hole for the sake of protection from bots).

Thanks for the tip. It's OK for you to post the OSXDaily URL.

How to Check XProtect Version in Mac OS

 

[jonblatho]

Spotify, Keybase, KBFS, iTunes, Numi, Encrypt.me

Did any of these allow for activating the camera without explicit user consent, every time?

 

[Webster's Mac]

So, Apple can install an update (essentially any code) without user's approval or notification? Not good.

It’s removing a specific part of a program that is a security vulnerability. The code is already there. It’s the built in “antivirus” on macOS. Apple can use it to kill stuff like this.

 

[jonblatho]

If I buy a phone or a computer in general, I want to own its hardware and software and use it how I see fit. That's why its called buying.

Sure. But was Zoom not also being controlling in, by default, installing a local server that could allow an external user to activate your camera and show others what’s going on in front of your camera without asking for your explicit consent first?

Sure, the light would come on and you’d be able to leave immediately, as Zoom said. But I can think of several activities that people could commonly do in the frame of their Mac’s camera where even a second of footage shown to others, especially others they know, would be tremendously embarrassing or otherwise bad. You get the picture.

Zoom initially defended this as a workaround for a “user experience” issue, which is veritable bullpucky. It’s a substantial security and privacy issue. Apple fixed it, using existing, built-in security mechanisms intended for antivirus, by no longer allowing the server to run on clients that haven’t updated the Zoom app. It’s an objective win for security and privacy, not about “control.”

But hey, if you want to keep running this massive vulnerability unpatched, then please, by all means, don’t update Zoom and don’t allow Xprotect to update.

 

[Timemaster]

Yes. Well done Apple. Very well done.

This is a disaster for Zoom. They had one of the best brands in the comms space, and they are destroying it with this “feature”’ which makes Macs vulnerable and then trying to pass this off like it’s no big deal. It’s breathtaking how tone deaf they are.

It’s despicable, and Zoom better act fast before they are dead to enterprises. No CIO/CTO will risk their career because a vendor has a slightly easier user experience.

This is company destroying stupidity and Zoom better act while they still can. Otherwise, they will be a business school case study of what not to do in a crisis.

Honestly Zoom does not have to anything as it is relatively minor issue that was turned on by a setting. The user always had the option not to auto join with video. AKA preferences. If I remember correctly it was even off by default. I can give plenty of cases where you would want that setting to be turned on or a company would want it turned on. Example would be you have an office mac and the end of a table working as a server. Hey that one auto accepting a call would be a good thing. Or you have one running a meeting room. Yet again that auto joining is a good thing. Hell I have been at multiple places that will do that. It useful and people in the office get used to it to the point we expect it to happen waiting for a meeting.

This story is getting blown up by some poor journalism that is more after click bait headline titles. Screw the truth lets go for headlines. Mix this with the general public does not understand a lot of the issues and sees buzz words. OMG my mac as a web server running on it.... Reality check you more than likely have several ones running. You think it is hidden when in reality it was how a feature that someone wanted more than likely a big client and it was how they thought of doing it.
In the software world reality moves like that are normal. So much of our items that we use are head together with duct tape and coat hangers. Including iOS and the mac OS that we all love.

Come on remember in the pass when apple released a way to sudo access with nothing more than admin with no password. It happens. (FYI this was only a few years ago)