Apple Issues Silent Update to Remove Old Zoom SoftwareRare Move Made to Protect Against Future Exploitation
Apple has taken an extraordinary move to protect its users from a yet-to-be-disclosed vulnerability that could compromise Macs that have the Zoom video conferencing software installed.
Apple released a silent update that removes a clandestine web server Zoom installed in older versions of its software that can't be removed through a standard uninstall process. The update, first reported by TechCrunch, was confirmed to Information Security Media Group by Apple.
That left-behind component is vulnerable to a remote-code execution exploit that has yet to become public, Patrick Gray reported Wednesday on the Risky Business podcast. Zoom's software is installed on millions of Macs.
The update was likely made to Apple's Malware Removal Tool, which ships with macOS. Apple says in a support article that the tool can make security configuration and data file updates in the background.
Apple's intervention is "unique in a number of ways," says Jon Callas, a former Apple security expert and now senior technology fellow with the American Civil Liberties Union. An encryption expert, Callas also co-founded PGP Corp., Silent Circle and Blackphone.
Apple likely undertook the move to protect its own users, which is valid given the potential for harm, he says. "There are times when vendors have done something that was hard to fix, and there are relatively rare times that Apple will do something," Callas says.
Jake Williams, founder of Rendition Infosec and a former National Security Agency hacker, says Apple's decision is "more than fairly unprecedented," and that "I can't think of a time when it's happened other than some fringe cases involving apps that were really malware."
Zoom: A Stuff Up
Apple's move follows an embarrassing information security incident for Zoom that began playing out earlier this week. It also comes just three months after Zoom became a public company.
Jonathan Leitschuh, a Boston-based software engineer, discovered that Zoom's conferencing software could be involuntarily activated on someone else's computer if someone visited a rigged web page or clicked a deceptive link.
Leitschuh created proof-of-concept code showing how an iframe could trigger Zoom's launch, often with the recipient's video camera already turned on.
Leitschuh's code worked because Zoom made a controversial design decision. Older versions of its software installed an undocumented local web server on Macs. That server stays active and listens on port 19421 even if someone uninstalls Zoom.
If someone clicks a Zoom meeting link, Zoom directly launches. If someone had uninstalled Zoom and clicks a meeting link, the local web server reinstalls Zoom.
Zoom used the local web server to route around a protection Apple implemented in Safari 12 called cross-origin resource sharing, or CORS. CORS is designed to prevent a web resource from accessing something locally without notifying the user. So if someone clicked on a meeting link, Safari would trigger a warning that Zoom is about to be launched.
Zoom did this so users would not have to click another dialog in order to join a meeting, a convenience versus security trade off that now haunts it.
Remote Vulnerability Lurking
Zoom initially defended its decision to keep the local web server as part of its application, saying other software vendors use the same approach.
But on Tuesday, it reversed its decision after the outcries against it intensified. The company issued an updated application that would remove the web server, and says it will not be installed as part of future versions (see: Zoom Reverses Course, Removes Local Web Server).
But there was a thorny problem remaining. Zoom prompted users to update to the latest version, 4.4.4 (53932.0709). But if users thought they'd uninstalled Zoom at a previous time, they're of course unlikely to download the updated version. That means the web server remains on their machines.
That lingering web server appears to pose a clear and present risk to systems. Gray reported that Leitschuh likely almost came close to finding a remote-code execution vulnerability affecting the local web server. He reported that others have found it, imperiling millions of Macs.
Gray says on Twitter that he plans to interview those who found the remote code execution vulnerability on his show next week.
For Apple, that means part of their user base would have ended up vulnerable to an attack. Callas says a clandestine local web server that can be called on remotely is "indistinguishable" from malware, even though it wasn't intended as such.
"We all know these are people trying to make conferencing usable, and in general, Zoom is a great product," Callas says. "But a lot of these things are designed for their main purpose like conferencing and not for things like security."
Zoom CEO: 'We Misjudged the Situation'
Zoom says in a statement on Wednesday that it worked with Apple to get rid of the web server from Macs. "This was the most full-proof way to get this done so we appreciated Apple's collaboration in this matter," it says.
Facing mounting pressure, Zoom's founder and CEO, Eric S. Yuan, responded in a Wednesday blog post that "in engaging this researcher over the past 90 days, we misjudged the situation and did not respond quickly enough - and that's on us."
"We take full ownership and we've learned a great deal," Yuan writes. "What I can tell you is that we take user security incredibly seriously and we are wholeheartedly committed to doing right by our users."
Leitschuh wrote that he gave Zoom more than 90 days to resolve the problems that he found, including recommending that Zoom ditch the local web server. He also expressed frustration over the company's responses.
Leitschuh declined to participate in Zoom's private bug bounty program because its terms bounded him to not discuss the issues publicly after patching. Yuan writes that Zoom now plans to launch a public bug bounty program as well as improve its internal communication of security issues.
"Our current escalation process clearly wasn't good enough in this instance," he writes. "We have taken steps to improve our process for receiving, escalating, and closing the loop on all future security-related concerns."