Almost a week ago, Apple had to release a quiet update to macOS to address some secondary and potentially dangerous software related to the video conferencing app, Zoom. And now the company is doing the same for that company’s partner apps.
According to The Verge, Apple is currently sending out another quiet update for Macs that addresses the insecure software originally discovered tied to the Zoom app. However, it looks like some of Zoom’s partner apps, specifically Zhumu and RingCentral (two other video conferencing apps), also have the insecure software issues.
Both RingCentral and Zhumu use Zoom’s technology to deploy their own apps. That means both apps also installed the same software as Zoom, which includes a secondary piece of software that can take commands from some websites to hijack not only a computer’s webcam, but also the microphone.
Uninstalling Zoom, or RingCentral, or Zhumu, will not remove the secondary piece of software, which is a dedicated web server. That means that even the users who uninstalled the app won’t have the software removed, still putting them at risk. Worse, that means Zoom, Zhumu, or RingCentral can’t send out an update to fix the issue directly for those who have uninstalled the app.
Which means Apple had to step in. It did so earlier this month and it’s doing so again, this time aiming to remove the secondary piece of software in the case of Zhumu and RingCentral.
Apple will be fixing the issue with all of Zoom’s partner apps.
The core issue stems from a change Zoom made to its video conferencing software to work around a security update Apple had made to Safari. Safari was recently updated in such a way that it required user approval to open up a third-party app, every time, and Zoom wanted to keep users from having to deal with that extra click. That required installing a web server that listened for calls to open up Zoom conferences. Combine that with the fact that it was common and easy for Zoom users to have their default set to have video on when joining a call, and it became possible for a malicious website with an iframe to open up a video call on your Mac with the camera on.
The latest silent update for macOS to fix this particular issue is going out today. So if you’ve installed, and uninstalled, any of the offending apps, the issue should be properly patched here shortly.