Zoom, the video conferencing provider, has recently published a patch for its Mac users. This security fix would remove the connection of a rogue web server from Mac devices.
The security flaw allowed some websites to join users to video calls even without permission. It also turned on Mac webcams without the consent of the user. Once the Zoom client is updated, the company will no longer use a local web server on Macs.
Zoom said it would also include a menu option that allows users to uninstall the Zoom client manually. After the deployment of the patch, users will see the Uninstall Zoom option on the menu bar. Clicking on this will thoroughly remove the Zoom app from the device along with the person’s saved settings.
In an earlier update, Zoom said it didn’t have an easy way to assist users in deleting the app. The company said users had to manually locate and delete the Zoom client and Zoom local web server app. They should delete these apps until Zoom launches a new Uninstaller App for Mac to finally remove the apps.
A Security About-Face
The move reverses Zoom’s earlier stance wherein it identified the vulnerability a “low risk.” The company even defended its use of a local web server that exposed its users to potential attacks.
Jonathan Leitschuh, a security researcher who discovered the vulnerability, published a Medium post detailing the security flaw.
Later on, the company said it was working with Leitschuh on the security measure. In a tweet, Leitschuh gave an update, saying the company had reversed its previous position on the vulnerability.
Leitschuh included patches for the vulnerability like how to stop Zoom from activating the webcam when joining a meeting. The post also includes a terminal command for disabling video by default. It also contains instructions on how to shut down the web server and remove web server application files.
Leitschuh said that the security flaw was originally disclosed to Zoom on March 26 with a quick fix. But it took Zoom 10 days to confirm the vulnerability. He said that Zoom had only implemented the quick fix on June 24.
In its blog, Zoom said that, initially, it didn’t see the web server or video-on default as significant risks. But after hearing the outcry from some users and the security community, the company decided to release the patches.