Zoom Updates Mac App Installer to Remove Controversial 'Preflight' Installation Method

[SaxPlayer]

While it's good to hear that they've fixed this, it's going to take more to convince me to re-install Zoom. I removed it last year after the whole webserver fiasco and have refused to put it back on my Mac since. I agree with the comments that they will improve (they'll have to) however for me it's too little too late really and I can't see a time when I'll feel confident enough in the way they develop their software to change my mind. They've already lost me. If any of my customers want to connect via Zoom I either FaceTime them, use Skype or pick up the phone.

 

[zorinlynx]

I feel I have to clear this up because a lot of people are confused and/or think this is some exploit or previously unknown major security hole in MacOS.

The Zoom installer was not in any way bypassing permissions.

If you're an administrator on your Mac, you're in the "admin" UNIX group. Look at the permissions on the Applications folder:

drwxrwxr-x+ 56 root admin 1792 Apr 1 09:55 /Applications/

The middle rwx is group permissions. Notice the directory's group is set to "admin". This means you, as an admin user, can write there without any further authentication or authorization. Thus the installer is able to write the app bundle to that directory.

The worst you can really call this is a security weakness in the default configuration of MacOS. The Applications folder probably shouldn't be group-writeable by admin users by default. You should HAVE to authenticate (either with sudo, or the installer asks for your password) to write there. But MacOS lets admins write freely to /Applications without authenticating. Any app can take advantage of that; apps that are distributed as dmg files already do, when you drag the app to /Applications.

 

[Emanuel Rodriguez]

I feel I have to clear this up because a lot of people are confused and/or think this is some exploit or previously unknown major security hole in MacOS.

The Zoom installer was not in any way bypassing permissions.

If you're an administrator on your Mac, you're in the "admin" UNIX group. Look at the permissions on the Applications folder:

drwxrwxr-x+ 56 root admin 1792 Apr 1 09:55 /Applications/

The middle rwx is group permissions. Notice the directory's group is set to "admin". Thus you, as an admin user, can write there without any further authentication or authorization. Thus the installer is able to write the app bundle to that directory.

The worst you can really call this is a security weakness in the default configuration of MacOS. The Applications folder probably shouldn't be group-writeable by admin users by default. You should HAVE to authenticate (either with sudo, or the installer asks for your password) to write there. But MacOS lets admins write freely to /Applications without authenticating. Any app can take advantage of that; apps that are distributed as dmg files already do, when you drag the app to /Applications.

MacOS has a number of questionable things from a security perspective, but you're exactly correct. A more concerning thing is the fact that diskutil can be used freely, even without sudo or logging in as root. That to me always seemed like a major security flaw. Note that fdisk and tools like it usually require root access to do anything potentially destructive, although to be fair fdisk is more capable of total destruction than diskutil is.

 

[DaveWil]

With all the reports about Facebook data gathering and the company claiming they had no idea. I am avoiding Zoom like the plague, well like COVID-19.

 

[zorinlynx]

MacOS has a number of questionable things from a security perspective, but you're exactly correct. A more concerning thing is the fact that diskutil can be used freely, even without sudo or logging in as root. That to me always seemed like a major security flaw. Note that fdisk and tools like it usually require root access to do anything potentially destructive, although to be fair fdisk is more capable of total destruction than diskutil is.

MacOS gives a lot of trust by default to the console user. This is okay in 95% of situations, and in the 5% of cases that it's not it is possible to lock it down pretty hard.

Of course, you'll always get surprises in an open lab setting, like a recent time when a student set the system language to Chinese on one machine and I had to poke around with Google Translate on my phone to get it set back.
[automerge]1585865371[/automerge]

With all the reports about Facebook data gathering and the company claiming they had no idea. I am avoiding Zoom like the plague, well like COVID-19.

Sadly, we're using it for work. I'm thinking of switching to using it on my gaming computer, where I care a bit less about security. But I'd need to find a webcam for that; my iMac has a built in one.

 

[AppleVet]

I had to register just for this one. If Zoom wants an easy install, then they can install their app by dragging into the /Applications folder. Upon first launch, they can sanity check and launch a helper tool with the users permission (unless there are app store rules about that. I never installed it.)

Since they are using the Installer, I am assuming it is more complicated than that. In that case, the user can go through a few steps to get the app installed.

The design of the Mac installer is this: You should not be interrupted once installation begins. Before that, ask the user whatever questions are necessary to complete the installation.

Remember when the Installer was created, or rather, when I morphed it from the OpenStep installer to the Mac OS X Installer, the competition was Windows. Installing Windows interrupted the user during installation for more information, and Mac OS X did not want that. That is why you have a few preliminary steps.

Saving a click or three by abusing the preflight script is just bad form. The script portions of an install are supposed to be as small and fast and simple as possible. If they're not, they throw off the time estimates. You can do a couple checks, and that's it.

 

[DeepIn2U]

For sure. If you know software development, you know that any development firm which goes as far as they do to make things easy to use for their customers (not at all easy for the devs), actually does care about them, in much the same way Apple does. The fast fixes are a sign of that as well.

how exactly do you know this about Zoom? Hmmm.

 

[theapplehead]

Zoom's whole way of doing things is to make everything as simple as humanly possible, which is the reason they're so popular right now.

Seriously, it's the only piece of software I can think of that I've had next to no support requests for. It's unbelievably simple to use. I don't really see the problem with this. Minimizing clicks should be more important to all devs.

Totally agree. There has been WAY too much hate on Zoom over the past week or so. Zoom has added millions of customers to its user base since the beginning of this whole switch to online usage and has done well to manage such an influx. It’s sad that the only payment Zoom received for keeping everyone functional was a slap in this face and a slew of complaints. Let’s face it folks, Facebook and Google present more privacy concerns then Zoom ever could. So far, I am well pleased with how Zoom has helped me transition to online work and am grateful for the service they provide.

 

[Emanuel Rodriguez]

how exactly do you know this about Zoom? Hmmm.

Because I'm observant. Am I in the middle of a sweet conspiracy theory or something? If so, I'll have to get my sunglasses.

Meet me in the parking garage.

 

[DeepIn2U]

Because I'm observant. Am I in the middle of a sweet conspiracy theory or something? If so, I'll have to get my sunglasses.

Meet me in the parking garage.

Wing observant does not disprove poor practices she’s in public light and directors ordering changes to be done by developers separately from developers truly caring and realizing faulty practices previously submitted by them,

but I like your good humour!

 

[chrfr]

I feel I have to clear this up because a lot of people are confused and/or think this is some exploit or previously unknown major security hole in MacOS.

Zoom installing their software via a preinstall script isn't something that Apple's installer functionality should even allow. There's no justification for Zoom having taken this approach- the user has already authenticated as an admin at the point that script runs, so what's gained by installing before the user clicks "Install" rather than installing in the proper way? It's clearly not something that was ever required as the preinstall behavior has now been removed.
While I wouldn't consider this as an exploit, it is just one more suspect behavior in a series of questionable decisions by Zoom, and this sort of thing needs to stop. Zoom's other just-patched security issues, on both the Windows and Mac clients were nontrivial, however.

 

[DesertNomad]

It should be just drag and drop to the Applications folder without an installer.

 

[paulcons]

Did I read the story too quickly, are we talking about the desktop app or the iOS app? I am assuming no need to reinstall versions I already have installed...

 

[Emanuel Rodriguez]

It should be just drag and drop to the Applications folder without an installer.

The installer is easiest. Double click on the downloaded installer, it installs. Done. What you're referring to requires a disk image, and a few additional steps. Personally, I love the simplicity of what Zoom has done with their installer. Like all things Zoom, couldn't be easier.

 

[luvbug]

I've used their app in the past; never again.

 

[drewyboy]

Security issues aside, yesterday I installed and used Zoom to attend a "webinar" with 170 attendees. Almost all of whom, like me, are Boomers or older, and probably using it for the first time. Software ran smoothly with great video/audio quality and responsiveness. Lost less than 5 minutes due to user screwups. I was impressed. I've used GoToMeeting before, and regularly use Skype on 1-to-1's and Zoom is far and away better..

It's easy to make things work pretty well when you're blowing past any security and best practices.

It's like saying "I can get across town in 20 minutes" when you're going 140+ on the highway and blowing through any stop signs and stop lights. Convenient, yes. Following best practice? No way. Endangering your passenger? Absolutely.

 

[mrr]

What is wrong with this company? It is one thing after another.

 

[bgalakazam]

Considering the US Gov and DOD use this it should be better at these things.

 

[DinkThifferent]

No, you only need to do the first step

LOL. Thanks for the laugh and good advice. I updated the app yesterday. But what i like about Zoom is the low 'delay' time with video calls they have compared to Skype.

When using Skype you always have those awkward "Tv news reporter talking to an news anchor via satellite"- delays. But with Zoom talking to each other is almost as quickly as talking face to face.

Unfortunately, my parents don't have iPhones or iPads so I cannot FaceTime with them. Any tips for me aside from buying them iPads and iPhones?

 

[ipponrg]

What is wrong with this company? It is one thing after another.

It is the perfect example of what happens when a product grows in popularity too fast. Their practices are under a microscope.

I have been using Zoom for the last 3 years in a tech capacity. The pros for productivity outweigh the negative press it has received unfortunately. My company gives out BlueJeans pro accounts, but the software and video quality (esp for screen shares) is pure trash

 

[nylonsteel]

i dont trust zoom yet

 

[MobiusStrip]

Love how mainstream media are failing to point out that Zoom was already caught installing malware last year.

 

[sakagura]

I don't think you understand what an installer is.
[automerge]1585861657[/automerge]

I don't think you understand where this app is built, how the dictatorship pressures developers and businesses and where the data is transmitted.

Zoom 'unsuitable' for government secrets, researchers say

The meeting app used by Cabinet has odd encryption and sends data through China, researchers say.

www.bbc.co.uk

'Aside from the encryption standards, the researchers also found that Zoom sends traffic to China - even when all the people in a Zoom meeting are outside of China.

"During multiple test calls in North America, we observed keys for encrypting and decrypting meetings transmitted to servers in Beijing, China," the report said.

Running development out of China likely saves Zoom having to pay Silicon Valley salaries, reducing their expenses and increasing their profit margin. However, this arrangement could also open up Zoom to pressure from Chinese authorities," the report said.'

 

[Ubuntu]

It seems like they made some bad choices, but it also seems like they are recognizing the fact they were bad choices and are quickly taking steps to address them.

It's easy to fault them but perhaps such quick acknowledgement and rapid changes are a good sign.

I don't know, really. It seems like the "better to ask for forgiveness" mantra that Facebook uses. I imagine Zoom just had a plan for the scenario where people complained about such things. Remember the webserver? This company has no issue with unethical approaches. None of their current incidents have been groundbreakingly-bad (maybe the webserver one) but there's clearly someone in that company who is making bad decisions time after time.
[automerge]1586075918[/automerge]

For sure. If you know software development, you know that any development firm which goes as far as they do to make things easy to use for their customers (not at all easy for the devs), actually does care about them, in much the same way Apple does. The fast fixes are a sign of that as well.

Indeed, making the best user experience possible is the main goal, but there's always an ethical balancing act. I don't think this particular incident was that bad but given that it's just another incident after the last couple (including the webserver debacle) they're demonstrating a lack of respect for the user.

 

[MobiusStrip]

How many free passes are these jagoffs going to get?