Skip to main content

Apple rolls out a silent Mac update that removes Zoom’s local web server

sotck photo of Macbook Pro
Craig Adderley/Pexels

A security researcher recently discovered that the Zoom app has a pretty troubling security flaw for those who use the app on Macs. According to a Medium post published on Monday, July 8, by security researcher Jonathan Leitschuh, the Mac version of the Zoom app has a vulnerability that lets websites launch video calls (and turn on your webcam) without your permission.

But as of Wednesday, July 10, Apple decided to address Zoom’s security issue with a solution of its own: A silent Mac update that removes a problematic localhost web server that comes with the Mac version of the popular video conferencing app, TechCrunch reports.

Zoom is well-known and used by countless companies precisely because of its ease of use. (Users can join video calls with just a shared link and a click.) But it turns out that that particular easy-to-use feature is the source of the vulnerability. According to Leitschuh’s post, the installation of the Zoom client for Mac doesn’t just come with the video calling app itself; it also comes with a localhost web server that is also installed. This local server is what allows Mac users to have one-click access to a Zoom video call. But as Leitschuh notes, the local server feature “really hadn’t been implemented securely.”

In fact, the server is so vulnerable that it allows other, potentially malicious websites, access to Mac webcams to “forcibly join a user to a Zoom call” and turn on their webcams without permission. In addition, the server’s security flaw (for older versions of Zoom) also would have let websites complete a DoS (Denial of Service) attack on Macs “by repeatedly joining a user to an invalid call.” Leitschuh also noted that the DoS security flaw was patched in version 4.4.2 of the Zoom client.

Users can’t just uninstall Zoom to fix the problem either. Leitschuh’s report also mentioned that the local web server stays on your Mac even after uninstalling Zoom. Plus, that server can still reinstall Zoom without your permission. And it appears, at least according to Leitschuh’s version of events, that Zoom, while aware of the flaw, hadn’t fully fixed the security issue at the time.

Zoom initially said it wouldn’t fix the issue, but eventually said it would release a patch Tuesday that would eliminate the bug, according to Wired.

Despite Zoom’s newly released patch, Apple has now provided its own fix for Zoom’s webcam security issue. According to TechCrunch, the (automatic) silent Mac update is expected to remove the local server that had been installed along with Zoom’s video conferencing app. The silent update will also contain a feature that asks Mac users if they want to open the Zoom app, instead of just opening the app automatically.

Apple shed a little light on the reasoning behind the creation of this silent Mac update and telling TechCrunch that the update was intended to help protect past and present users of the Zoom app for Mac from the app’s vulnerability while preserving the functionality of the app.

Updated on July 11, 2019: Apple released a Mac update that removes Zoom’s local web server.

Editors' Recommendations

Anita George
Anita has been a technology reporter since 2013 and currently writes for the Computing section at Digital Trends. She began…
Will the Vision Pro replace the Mac? Why Apple will have to tread carefully
A developer points to a Mac screen while a Vision Pro rests on the desk.

The Vision Pro headset is poised to be one of the most significant products Apple has introduced in years, and it has the potential to launch a new era of success for the company. But at the same time, there’s a risk that it could end up cannibalizing the Mac line by giving plenty of people something that could replace their computer altogether.

That means Apple has got to be very careful with how it handles the Vision Pro. It no doubt wants as many people to buy it as possible, but it wants that to happen without having to sacrifice sales of its other devices. How on earth is it going to do that?
The Mac killer?

Read more
I’m finally ready to stop recommending Apple’s cheapest MacBook
Apple MacBook Air M1 open, on a table.

Apple’s MacBook lineup is a bit all over the place at the moment. It’s full of fantastic machines that trounce the competition, yet picking the right Mac for you has never been more confusing. But amid all the uncertainty, one thing is for sure: I can finally stop recommending the M1 MacBook Air.

For years now, the M1 MacBook Air has been a great choice for anyone looking to dip their toes into the world of Apple laptops. But three years after its launch, it’s no longer looking like the solid purchase it used to be.
A strong debut
M1 MacBook Air Mark Coppock / Digital Trends

Read more
Apple just dashed our iMac hopes and dreams
The back of a silver iMac in an office.

Apple has confirmed it has no plans to release a 27-inch iMac in the immediate future. The news comes on the same day that reviews for Apple's 24-inch iMac M3 and MacBook Pro M3 went live, with the company urging pro users who had been waiting for a 27-inch iMac update to go with a Mac Studio or Mac Pro instead.

An Apple representative confirmed that a 27-inch iMac with Apple silicon won't be arriving soon to The Verge. Apple last updated the 27-inch iMac in 2020, just a few months before Apple silicon was released to the world. It never saw Apple Silicon, instead being stuck on older Intel chips. Apple discontinued the product in 2021, eventually delisting it the next year.

Read more