
Apple has pushed a silent Mac update to remove hidden Zoom web server - coloneltcb
https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/
======
vondur
If you would like to force this update you can do so via the terminal:

softwareupdate -ia --include-config-data

It will show up as MRTConfigData if you look under Apple Menu->About This
Mac->System Report->Software->Installations. The latest version is 1.45 and
was updated today which includes the Zoom mitigations.

~~~
rafwarn
This also install a lot of stuff people may not want to. You can install only
the designated package with :

    
    
        softwareupdate -i MRTConfigData_10_14-1.45 --include-config-data

~~~
shok3001
Software Update Tool

MRTConfigData_10_14-1.45: No such update No updates are available.

~~~
mcescalante
I am also getting this error, and suspect it is because I’m on 10.12.6. If you
do _system_profiler SPInstallHistoryDataType |grep -A5 MRTConfigData_ you
should see your latest version. For me, it’s 1.42. Not sure how to get the
update yet though. Will update this comment once I figure that out.

Update: According to this macworld article, there is a Zoom patch out that
fixes this. [https://www.macworld.com/article/3407764/zoom-mac-app-
flaw-c...](https://www.macworld.com/article/3407764/zoom-mac-app-flaw-camera-
patch.html)

There are also commands at the bottom to manually kill the zoom localhost and
disable it. I have opted to run those commands regardless:

    
    
      pkill ZoomOpener;rm -rf ~/.zoomus;touch ~/.zoomus &&chmod 000 ~/.zoomus;
    
      pkill "RingCentralOpener";rm -rf ~/.ringcentralopener;touch ~/.ringcentralopener &&chmod 000 ~/.ringcentralopener;#

~~~
bluecmd
What do the chmod do there? Removing files count as writes to the directory at
least in Linux, so chmodding the dummy file wouldn't do much I'm thinking.

~~~
Someone
Idea is to prevent the Zoom Software from ‘repairing’ the ‘damaged’ app by
overwriting it with the malware.

I would also set the ‘user immutable’ flag. If you want even better, set the
‘system immutable’ flag (see ‘man chflags’)

~~~
bluecmd
Yes sure, but I question if these permissions would do anything to prevent
that. It would reject an open() call on the file, but these are expected to be
directories so that would never happen, and it doesn't stop an unlink()

------
m0dest
This means there might have been another side to this story: Zoom's change of
heart might have been forced by Apple, not the public backlash.

Apple: Hey, your app poses a threat to macOS security. We're going to remove
your server app with the built-in macOS anti-virus.

Zoom: Oh crap. Okay, give us 2 sprints to release a new version that removes
it.

Apple: We're killing it in 48 hours.

...

Zoom, after an all-nighter: HEyyy users, we have a patch for youu

~~~
devin
Wild speculation.

~~~
lhoff
Wouldn't say so.

The who found the Vulnerability where at least talking to the people at chrome
and firefox: Quote from there Blogpost
([https://medium.com/bugbountywriteup/zoom-zero-
day-4-million-...](https://medium.com/bugbountywriteup/zoom-zero-
day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-
ac75c83f4ef5)) "Apr 10, 2019 — Vulnerability disclosed to Chromium security
team.

Apr 19, 2019 — Vulnerability disclosed to Mozilla FireFox security team."

So, not entirely unrealistic that the other Browser manufacturer also got a
notice.

------
rawrmaan
That's pretty epic. Apple continues to make big, brave moral gestures (like
when they yanked Facebook and Google's enterprise certs earlier this year, or
killed long-term tracking cookies in Safari overnight).

Makes me happy to be a customer. Hope they keep enforcing their own rules and
protecting their users' privacy and security in this fearless manner.

~~~
Deimorz
I don't think disabling the enterprise certs was particularly moral, Facebook
and Google were flagrantly violating the terms of the enterprise program.
Apple also apparently didn't even notice (or didn't care) until articles about
it started getting a lot of attention.

Apple definitely does make some commendable decisions, but I think it's also
important to distinguish between bravery and what Ben Thompson calls "Strategy
Credits" ([https://stratechery.com/2013/strategy-
credit/](https://stratechery.com/2013/strategy-credit/)):

> Strategy Credit: An uncomplicated decision that makes a company look good
> relative to other companies who face much more significant trade-offs.

~~~
judge2020
> Apple also apparently didn't even notice

Do they have any information about enterprise apps? As I understand it, Apple
never phones home with app info (such as the identifier, name, etc) when
verifying or installing enterprise-signed apps, so the only thing they know is
probably the IP address requesting to verify the enterprise-signed app and the
frequency of how often Apple devices do this certificate verification.

Considering FB and Google have many employees in all different parts of the
world, it wouldn't be too suspicious to see a good amount of diversity between
GeoIP regions.

Correct me if i'm wrong about what info Apple collects about enterprise apps.

~~~
saagarjha
Going forwards, Apple will require that companies provide their enterprise
apps to be audited.

~~~
judge2020
I see them adding something like the macOS "notarization" requirement to iOS
enterprise apps.

------
userbinator
It's been rather disturbing to see this whole thing play out --- I'm not
taking sides here, but Apple "flexing its arms" in this manner shows that it
is willing and has the power to go beyond policing its App Store and such
(which while I do not like, I feel it does have the right to) and involve
itself in the affairs of third-party software which it did not originally
install. (This is subtly different from updating things like OS files, for
example. Some other comments here suggest that the installation of this update
is controlled by a setting described as being for _system_ related updates,
which a user would expect to leave his/her third-party software alone.)

You may agree with its decision this time, but will you always agree? Apple's
wielding of power in this way is likely to attract the attention of groups
such as copyright/IP lobbyists, which have an immense desire to have all "non-
authorised" files/software erased from all user's machines.

As the saying goes, "two wrongs don't make a right".

In any case, the idea of the OS/platform vendor meddling with third-party
software that it doesn't like just feels wrong. I know Apple has historically
held tight control over its mobile platforms, but the Mac is meant to be
different.

I am not an Apple customer, and I now feel even more reluctant to become one.

~~~
zaptheimpaler
lol they removed what would be called horrific spyware if it wasn’t made by
Zoom and you’re over here on some lofty criticism about possible implications
years into the future

any OS (and many other apps) that update have the power to do what you’re
afraid of, and much more.

plus i don’t really see a bright line between system level software and an app
when apps can access your video cam, mic, all your files - basically your
whole computer.

~~~
heyoni
That's it right there. This isn't some gray area, questionable thing like that
time they pushed a David Bowie song onto people's iTunes. Remember that?
People completely lost their minds over it, and I agree with the sentiment.

This isn't third-party anything. No one even knew this was running on their
machine and it was demonstrably abusable. Good riddance!

~~~
pvg
_a David Bowie song_

It was an entire U2 album, a far greater offense.

~~~
bredren
It’s blasphemous to equate these artists.

------
Deimorz
It's been really interesting to see how quickly the original Zoom response of
"there's nothing wrong with this, everybody does it" ended up being reversed.

I wonder if there's a known exploit for the Zoom server specifically, or if
Apple discovered one while looking into it. It seems strange for them to go to
these lengths in this case when it sounds like other software has been using a
similar technique too. Maybe it's just the reinstallation aspect that makes
Zoom's case exceptional?

~~~
ilikepi
In the news segment of this week's episode of Risky Business[0], one of the
hosts mentions (starting around 3:40) he has some information that there was
an RCE disclosed to Zoom back "some months ago". He further says that
@Jlleitschuh (the person reporting the web server issue earlier this week) got
90% of the way to finding it. So...yeah, speculation only, but maybe Apple
became aware of this and dropped the hammer.

[0]: [https://www.risky.biz/RB547/](https://www.risky.biz/RB547/)

~~~
januzis
They also discuss a case, where a user uninstalls Zoom, but does not remove
the web server, remaining forever vulnerable, because the fix from Zoom will
not reach them. That explains the Apple involvement.

------
heisenbergs
I always wondered why the zoom app required root permissions, which is why I
never installed it in the first place. What would a video conferencing app
ever need root permissions for?! Now we know: a backdoor.

Thank god for Apple putting down the law. This is why I happily pay premium
prices...

~~~
eridius
I can't verify since I don't have it installed but I see no reason why this
webserver would need root permissions. If it's asking for root it must be for
something else.

~~~
fouc
Quite a few apps ask for root during installation. But now you have me
wondering which apps ask for root and which don't. Would be neat if there was
a huge app registry website that could show this. Name and shame the ones that
ask for root..

~~~
universenz
Let me introduce you to the nice folks over at Objective See..
[https://objective-see.com/products.html](https://objective-
see.com/products.html)

They have a bunch of cool little apps (that are free) like BlockBlock that let
you know when things are happening you wouldn't have otherwise allowed.

For example, BlockBlock warned me randomly about 30 minutes ago about an app
that was being silently installed in the background.. something I hadn't seen
before called MRT.app.

Turns out - that was Apple silently updating the OS to protect against Zoom.
Wouldn't have known if it weren't for these apps.

~~~
oil25
> Let me introduce you to the nice folks over at Objective See..
> [https://objective-see.com/products.html](https://objective-
> see.com/products.html)

The "nice folks" at Objective-See is Patrick Wardle, a former NSA rootkit
expert who would like nothing more than to install various close-sourced
components on your computer.

~~~
saagarjha
I'm not necessarily a fan of Patrick Wardle, but his software is open source:
[https://github.com/objective-see/](https://github.com/objective-see/)

~~~
oil25
Some software components are open source, others are not.

------
vinay_ys
Huh? Why is it ok for Apple or _anyone_ to do silent installs on my computer?
As a customer, why am I getting this information from YC/Techcrunch and not
Apple?

What else have they pushed like this? Is there a transparent log? Can we
verify if their track record is clean? How many times have they silently
broken and fixed their own things? How do we know they won't abuse this?

Isn't this the same dark pattern that we criticized zoom for? Did I consent to
Apple doing silent editorial changes to my system?

For having exercised this editorial privilege, will Apple take accountability
for every thing that is done by every app on my computer?

It seems like we are being slow-boiled into accepting outrageous things as
normal.

~~~
frereubu
I don't want to come across as confrontational, but I find this kind of
response exhausting. I do not want control of everything on my computer. I
don't have time or expertise to decide on whether to accept each and every
security update, particularly ones that involve a web server which was
installed by stealth and which isn't removed when the app is uninstalled. I
want to outsource these kinds of decisions to people more qualified than me,
and if I don't have to pay extra for those people (beyond the extra expense of
buying Apple products) all the better.

If you want complete control over your computer you have the choice of getting
yourself a PC with some flavour of *nix, and combing through each update as it
comes. I really don't like the future of Apple that you seem to want. Apple
has made missteps, sure - like that idiotic U2 album - but I actively want
things like this to happen, and I imagine the vast majority of Apple users do
too (if they actually ever think about it).

~~~
ilikehurdles
Do you recognize any middle ground between the current state and your extreme
scenario of poring through every update?

~~~
frereubu
Honestly, for my purposes (I'm technical director of a digital media agency),
not really. I install updates automatically (apart from first-version releases
of macOS), and appreciate the gatekeeping aspect of the App Store for everyday
software.

When it comes to public-facing servers that we run it's a different matter of
course, but then I'm performing (and delegating) the same task that I want
Apple to perform for my MacBook Pro.

------
mukundmr
There is an undisclosed RCE that prompted Apple to act.
[https://twitter.com/riskybusiness/status/1148819622558236673...](https://twitter.com/riskybusiness/status/1148819622558236673?s=21)

~~~
sneak
It sounds like silent updates from Apple without automatic updates turned on
is also an undisclosed RCE - or an Apple backdoor, depending on how fine a
point you wish to put on it.

Being my OS or hardware vendor does not entitle you to permanent RCE on the
machine that now belongs to me.

Unless of course this is just a XProtect rules update or a Gatekeeper CRL
update, then ignore what I said.

~~~
saagarjha
It is.

------
sparky_
From the article, this sounds like it was a GateKeeper change, de-whitelisting
the signature, rather than an update, per se.

~~~
msbarnett
More likely this was done via a signature update to xprotect, which is
essentially a background antivirus process in macOS.

~~~
snuxoll
Doesn't appear so, current XProtect version remains at 2103 which was released
a couple months ago now.

~~~
msbarnett
I haven’t checked, but are you looking at the version of the binary itself, or
the MRT signature files it uses

~~~
snuxoll
Checked XProtect.meta.plist inside the app bundle, forcing an update check
with softwareupdate has no impact either.

Perhaps it’s a staged rollout, but at least on my iMac there’s no sign of
updated signatures.

~~~
msbarnett
Yeah you’re just looking at the version of the xprotect binary, not the
malware signature data files, which don’t live in the bundle and get updated
more regularly.

They also ship silently via system_installd, you’re not going to see anything
in the software update GUI

~~~
snuxoll
The signature files also live inside the XProtect.app bundle, unless in true
Apple fashion they’ve got other stuff that’s lurking elsewhere in /System that
I can’t locate.

------
kunday
I wonder if this was the real reason behind the Zoom backflip. It certainly
cannot be good for business if your app gets marked as malware.

Seriously though, they should have owned the mistake, apologised and reversed
their decision rather than handling it with a PR spin. It is a great product
but somehow it has left me with little trust for zoom. It's probably still not
too late.

Does anyone know if bluejeans et all are also removing this? Or does it
require public shaming, like the zoom case?

------
kaiwen1
Wasn't there once a company with the motto "Don't be evil."? If that motto is
abandoned, Apple should claim it since they genuinely try do their best to
live by it.

~~~
oil25
Apple only does so when it's also convenient to their bottom line. They
provide the Chinese government backdoor access to iMessage, remove VPN apps
from their store to enable censorship, and have we all forgotten they are a
PRISM partner? These actions seem pretty "evil" to me.

~~~
xenadu02
> They provide the Chinese government backdoor access to iMessage

No. What gave you this idea? iMessage is end-to-end encrypted. The keys are
managed by the devices themselves. There is no facility to backdoor or
intercept the messages.

Apple acts as a registration server, notifying your devices when a new device
signed in as you joins the pool but the devices themselves tell you when this
has happened. That’s all client-side. If the server didn’t tell the client
about a new peer it would never encrypt a copy of the message for that peer
and that peer wouldn’t get the messages.

~~~
oil25
> iMessage is end-to-end encrypted. The keys are managed by the devices
> themselves. There is no facility to backdoor or intercept the messages.

That is only a half-truth. Apple controls the key infrastructure; they may
replace your keys with arbitrary ones at the demand, coercion or compromise by
any number of bad actors. The software is closed source, making it impossible
to verify any actual claims made otherwise. If they truly valued privacy, why
not open source iMessage, allow users to verify iMessage keys, hire an
independent third party to audit their infrastructure, or all of the above?

Moreover, Apple has moved iCloud infrastructure to Chinese data centers to
enable spying on millions of innocent people. They have removed apps from
their store which circumvent Chinese censorship. These are truly shameful acts
which has appropriately drawn criticism from human rights watch organizations.

[https://techcrunch.com/2018/02/25/apple-moves-icloud-
encrypt...](https://techcrunch.com/2018/02/25/apple-moves-icloud-encryption-
keys-for-chinese-users-to-china/)

[https://www.cnbc.com/2018/02/24/apple-moves-to-store-
icloud-...](https://www.cnbc.com/2018/02/24/apple-moves-to-store-icloud-keys-
in-china-raising-human-rights-fears.html)

[https://www.nytimes.com/2017/07/29/technology/china-apple-
ce...](https://www.nytimes.com/2017/07/29/technology/china-apple-
censorhip.html)

[https://blog.cryptographyengineering.com/2013/06/26/can-
appl...](https://blog.cryptographyengineering.com/2013/06/26/can-apple-read-
your-imessages/)

~~~
dymk
I find it disappointing that we blame companies operating in China and not the
real forcing function for all this: the Chinese government

~~~
LIV2
The government is bad, so is a trillion dollar American company choosing to
collaborate with the government by enabling spying on their users just so they
can make even more money. They're enabling a government to track down &
torture/murder dissidents

------
xeeeeeeeeeeenu
They are basically solving a self-inflicted problem. The real issue there is
the fact that macOS doesn't provide a standarized way to completely uninstall
an app.

~~~
taftster
Which is completely frustrating, because Mac is totally in the position of
using its built-in capabilities to deal with this. The Mac Bundle (.app)
format could solve this entirely. All application specific data should be
written inside of the bundle folder, so that when you delete the app, you
delete the thing entirely.

I mean, maybe you need a "user data" bundle of sorts tied to the specific
application. If you delete the app, it deletes all the user data bundles as
well.

The default installer and bundle runners should be controlling the process.
"XYZ App is attempting to write data files outside of its bundle location.
These may not be cleaned up if you delete the application. Do you want to
continue?"

The unix permissions system and the Mac bundle format should completely solve
this problem. I honestly just don't get why this still happens. Doesn't iOS at
least get this right?

~~~
maxsilver
> The default installer and bundle runners should be controlling the process.
> "XYZ App is attempting to write data files outside of its bundle location.
> These may not be cleaned up if you delete the application. Do you want to
> continue?"

If you do that, the entire system stops working. Everyone will just click "ok"
and then still gets mad when uninstalling doesn't fully clean things up.

~~~
taftster
Well, that's fair. But hopefully in the process of getting mad, it starts to
reflect negatively on the application vendors and/or Apple directly. Maybe
that will be enough for them to change.

Maybe the app bundle runner should be logging files written outside of the
bundle folder? Then the uninstall process will wipe those out?

~~~
hunter2_
Wipe out all the things that you create with the app? All the text you created
when you uninstall a text editor, the photos you touched up and saved under a
new name, the audio recordings you made?

------
tonymet
The bigger question -- what other desktop apps have similar, latent daemons
hanging around? I'm always wary of installing stuff like this (e.g. zoom,
go2meeting, teamviewer).

Anyone know of other sneaky apps to avoid?

~~~
gaogao
Razer gaming keyboard drivers spin up a webserver for controlling the chroma,
which I've always found scary. (Using the much more reasonable community open
source drivers that don't do that.)

~~~
krferriter
Why in the world would a keyboard driver need to run a webserver? Client
software should just be able to call driver functions directly in order to
configure the keyboard. It sounds like they hired a web developer to write
their driver configuration tool and didn't give any architectural constraints
or have someone managing the project who knows best practices or security
principles.

~~~
nemothekid
I don’t have the keyboard, but it’s my understanding that application
developers can customize the lights on the keyboard. For example if you die in
the game your keyboard turns red.

To do that you need IPC, and a JSON endpoint is the most popular form of RPC.
If the server listens on localhost, I don’t see any issue with it - any issue
you would have with IPC, you would have with this style of of RPC.

Now they could have provided a library to communicate directly with the
keyboard - but I think the drawback was games developers didn’t want to
integrate it into their games.

~~~
Slartie
> Now they could have provided a library to communicate directly with the
> keyboard

They could have also opened a named pipe. Much cleaner, faster, less overhead
than a web server, and way more secure (last time I checked, a website could
not simply perform a request on a named pipe via JavaScript. With a local web
server however...).

------
xenophonf
I don't know about the rest of you, but since crap like Zoom runs just fine in
Firefox, that's where I'm keeping it. Ironically, I trust the browser's
sandboxing way more than the vendor's app, which inevitably seem to open up my
computer to some crazy vulnerability or phone home with my personal data or
some other nonsense. I feel, perhaps wrongly, that I have more control over
what the browser executes and what (web) applications can access, so Zoom,
BlueJeans, Slack, Discord, and the rest are getting trashed.

------
gruez
And why did Apple shut down the app regardless? Was it not properly patched?
Did Apple not care?

~~~
eddieplan9
Because zoom’s patch will only help users still using and updating zoom while
those who have uninstalled zoom are still vulnerable (because the uninstalled
leaves the web server behind)

~~~
duxup
"(because the uninstalled leaves the web server behind)"

For cripes sake...

~~~
londons_explore
Because macos has no decent concept of package management or containerization.

~~~
Operyl
I mean. The issue at hand was that they purposely left the webserver behind to
auto reinstall if a zoom link was clicked. This was an intended feature, and
the same could have been done on Linux or Windows. Package management or
containers are irrelevant to this conversation.

~~~
nitrogen
A package manager would typically have removed the web server, too.

~~~
Operyl
Sure, the "package managers" on Linux, Windows, and macOS all behavior in
pretty similar fashions. A manifest of files that the installer knew at time
of install. That doesn't stop a program from installing anything else at run
time, or even in the installer (since they can define what to remove in a lot
of cases). This wasn't an "accident," it was purposely left behind with the
intention of being used to onboard users easily even after they removed the
client. This would have pretty much been an issue on every platform (had it
been implemented on other platforms). And please, don't tell me "but Docker!"
Docker, at present, isn't really usable with GUI applications yet.

~~~
danieldk
_And please, don 't tell me "but Docker!" Docker, at present, isn't really
usable with GUI applications yet._

But Flatpak! Flatpak applications can be sandboxed and you can install/remove
applications as one unit.

~~~
Operyl
Is Flatpak still open to the issues outlined at
[http://flatkill.org/](http://flatkill.org/)?

If so, it doesn’t seem much better.

------
drevil-v2
I wonder what happens now to the Product Owner who decided it was OK to
install hidden web server on user machines?

~~~
mdellavo
eng has responsibility here for going forward with this

~~~
ummonk
This was likely a product manager decision, implemented by some hapless kid
fresh out of college.

------
AlexCoventry
Has anyone checked that `dpkg --purge zoom` does the right thing, on
debian/ubuntu?

~~~
ars
Keep in mind dpkg never removes user data.

So that said, I checked, and it removes everything zoom installs that isn't in
a user directory, plus (there is an extra script that does this):

    
    
        remove_folder "/opt/zoom"
        remove_folder "$HOME/.zoom/logs"
        remove_folder "$HOME/.cache/zoom"
    

Which is stupid since it's removing this from root, who probably never ran
zoom.

Note it removes logs from .zoom, but not the directory itself. Which is good,
since there might be user data in there (chat logs, and recordings).

Unlike Macs, there is no hidden webserver.

There is also (yes, it's commented out):

    
    
        #logged_in_users=$(who -q | head -n 1)
        #sorted_users=$(echo "$logged_in_users"|tr " " "\n"|sort|uniq|tr "\n" " ")
        #for user in $sorted_users;do
        #       echo "removing $(grep -w ^$user /etc/passwd | cut -d ":" -f6)""/.zoom..."
        #       remove_folder "$(grep -w ^$user /etc/passwd | cut -d ":" -f6)""/.zoom"
        #       echo "removing $(grep -w ^$user /etc/passwd | cut -d ":" -f6)""/.config/zoomus.conf..."
        #       remove_file "$(grep -w ^$user /etc/passwd | cut -d ":" -f6)""/.config/zoomus.conf"

~~~
AlexCoventry
Thanks.

------
ummonk
I was thinking to myself “it is too bad Apple can’t just disable this like
they could have on iOS, cause I suspect most people I know with Macs would be
vulnerable to it and it is next to impossible to explain to a nontechnical
user how to actually uninstall this”.

Kudos to Apple for nuking this malware.

------
MobileVet
This explains why I couldn't find it on my system... was scratching my head
when the .zoom folder wasn't on either system that had the Zoom.app.

Strong work Apple.

------
devin
Apple is punishing Zoom, because they explicitly built this mess to get around
Safari appropriately prompting users to decide whether they wanted to open the
app on each meeting join. If you are a safari user, there was never a
vulnerability. You’d be prompted. Why is no one talking about Chrome and
Firefox’s lax security posture here? It’s frustrating.

------
gumby
Note that dropbox also opens up three servers on your Mac, though when you
exit the app they go away, so are arguably discretionary. I assume they are
for lan syncing, though I don't know why that would require three ports.

They're blocked in my little snitch anyway so no problem.

------
Twirrim
Disturbs me somewhat that Apple has a way to silently push changes to laptops
without user interaction.

~~~
chipperyman573
Windows update does the same, no?

~~~
jrockway
Windows Update leaves behind a lot of logs with KB entries, so I don't think
they're trying to do anything secretly. If Microsoft changes your software,
you know about it.

~~~
outworlder
Nor is Apple. See other comments on this thread.

------
jvagner
I had a prospective client/customer, just today, schedule a Zoom meeting for
tomorrow. I was aware of the issue this week, but I wasn't really going to
make a lot of noise with someone who was just a prospect.

I figured.. this has probably evolved already to an acceptable situation.

So the calendar invite came in, I started up zoom to see what it would do.
There's an update available, where zoom says they're abandoning the local web
server.

Upgraded, should be good for tomorrow.

Came here, noticed the "softwareupdate -i MRTConfigData_10_14-1.45 --include-
config-data" command and ran it. Checked last update -- back in June, to 1.42
...

Updated that, ready to go.

Business continues, maybe I'll delete zoom another day, but not just yet.

------
Benjamin_Dobell
Where can I find the technical details regarding this patch?

Another application I've been running for years won't start-up anymore and is
logging:

> _Thu 11 Jul 2019 23:12:59 AEST Waiting for web server to come up_

It may be coincidental, but would be good to know what Apple changed.

------
mayurpipaliya
No wonder Apple took this step!

Many users are unable to enable Video feature even after applying recent patch
released by Zoom. Also zoom has become security joke/conversation topic while
starting a con calls!

------
ccleve
It bothers me that I see an increasing number of apps that run a local web
server. I've got half a dozen apps, mostly development tools like pgAdmin,
that force me to run the app and then access the UI through a browser.

How many such apps am I running that I don't know about? And how many of them
are exposing my system to malicious web sites, or to curious people in my
office on the same subnet? I wish I knew.

------
TheArcane
This whole saga and how it played out is the final nudge I needed in my
decision to move completely from Android/PC to Apple

------
geocar
Why do web browsers even allow access to localhost? Seems like developers just
use this to abuse/violate user preferences anyway.

I think I'd be happy with a popup once-per-tab asking me for permission for a
web page to talk to a local web server... Might even be okay if it's scary
(Are you a developer?)

------
Razengan
I appreciate Apple's handling of these issues, but is there a local log or
something where you can see all such "secret" updates?

Edit: Apparently there is:

[https://news.ycombinator.com/item?id=20409200](https://news.ycombinator.com/item?id=20409200)

------
gdfiutyer
Does anyone know if issues like this would only affect the current user
account?

I currently have a separate limited user account just for meetings, and that’s
where I install various meeting apps. So in my case is there any way to know
if Zoom or WebEx would install stuff on all accounts?

------
ancorevard
This is why I don’t trust apps outside the App Store as much.

If we can’t trust an app that is the cornerstone of a 25 billion dollar
business (Zoom’s market cap) not to install malware, then I don’t know.

I want the trust through the App Store.

PS. I love Zoom, and find it to be the best conference solution out there.

------
snissn
I haven't been following this issue, but i am very wary of Zoom since they
automatically turn your camera on and broadcast your stream as soon as you
click a Zoom link in your web browser which seems like a major issue to me...

------
victor106
You can judge how a company functions internally by how they respond
externally,

Zoom’s initial response to this incident was shameful. They basically said
“that’s how are app works. F U”

I am moving away from Zoom.

Any suggestions? Preferably open source

------
sahin-boydas
Zoom should be investigated by the US government.

[https://news.ycombinator.com/item?id=20408502](https://news.ycombinator.com/item?id=20408502)

------
austinkregel
I'm so glad they're killing it too. Zoom did a horrible job handling this.
(yes, I'm assuming the reported timeline is correct).

------
lighthazard
Please, Apple, give me a way to disconnect my microphone and webcam on an OS
level so apps can't randomly access it.

~~~
sn0v
Doesn’t that already exist under Preferences > Security & Privacy?

Afk rn so i might be misremembering the name of the setting.

~~~
lighthazard
TIL! Thanks! This is exactly what I wanted.

------
fbelzile
Right, but when you try to report a busted macOS API to Apple that breaks your
app, you have to walk on egg shells...

------
fluffything
Now they should push an update to forbid Apps from doing that in the first
place without asking the user at least.

------
davidhariri
How do these kinds of silent updates work?

~~~
saagarjha
This is an update to Apple's Malware Removal Tool (MRT) blacklist.

------
gigatexal
Zoom should just move to a webRTC based setup with no plugins or anything.
Wouldn’t that make things easier?

------
fortran77
Why wasn't Microsoft susceptible to this? Did the Microsoft Windows 10
firewall stop this?

------
1-6
What I'm more surprised about is how Apple can giveth and quickly take it away
remotely.

------
cyborgx7
Once again, a popular site that is completely GDPR non-complient. To opt out
of tracking you have to go through six layers of obfuscation. And don't take
the wrong turn, or you will just come to walls of text, meant to do nothing
but make you throw up your hands and give up. Or you can just opt in to
everything with one click.

------
akashima
looks good to me. Do more and more at that pace.

------
hidiegomariani
i love apple for these kind of things

------
kizer
Who cares?

------
tonymet
I imagine Apple has known about this daemon for a long time from it's OS
analytics.

~~~
eridius
What OS analytics?

Apple gathers various anonymous metrics, yes, but I don't think they collect
information on arbitrary web servers running on Macs.

~~~
tonymet
Crash reports include running processes.

What do you think the anonymous metrics are if the process list and open
sockets are excluded?

~~~
eridius
Crash reports do not include information from processes other than the one
that crashed. They also don't include open sockets. If the web server crashed
and produced a crash log, maybe that'll get sent, but I don't know if Apple
even collects crash logs from non-MAS apps anyway (what would they do with
them? They collect crash logs from MAS apps in order to provide them to the
developer).

------
bori5
Zoom? Thought they were talking about the zoom gesture in MacOS. I’ll move
right along then ...

------
stefan_
So they installed without further confirmation a silent update that removes a
silent installer? No irony?

~~~
eridius
Not really, no. Apple's update is just a configuration change to XProtect,
which is the anti-malware system. It's not an OS patch, it's just like any
third-party malware system auto-updating signatures.

------
jiveturkey
ertecheck found this for me maybe 2 months ago. coincidentally right in the
disclosure window!

i tried etrecheck on a lark. at the time i found it unremarkable. oh, i have
this leftover dingle here, thanks etrecheck, i'll just remove it then. but
otherwise i wasn't screaming etrecheck from on high.

now i am!!

~~~
jhayward
Everything about the etrecheck website screams "system optimizer scam!" and
this comment does nothing but reinforce that feeling.

~~~
jiveturkey
it's a very simple tool, to be sure. but come on, it's not like it's steve
gibson wares ...

the free version is perfectly adequate. it's simply an information gathering
and reporting tool. anyone could write this tool themselves -- the mechanics
of it are beyond simple. but like all sysadmin tasks, gathering the
requirements is the hard part.

~~~
etresoft
Alas, EtreCheck is far from simple. Early versions were little more than a
wrapper around system_profiler. But the current version is very sophisticated
(~40K lines of ObjC, C, XSL, XML, HTML, and JS) and has some one-of-a-kind
features. (see above)

------
bcheung
> Apple said the update does not require any user interaction and is deployed
> automatically.

I think this scares me just as much. #singlePointOfFailure #rootKit

~~~
saagarjha
This isn't an "update" in the traditional sense and you can turn this off from
System Preferences.

------
Jedi72
My coworker owes me lunch, I said they would yank the Zoom app for breaking
the app stores TOS (close enough hahaha). Apple cant be very happy with public
companies breaking their platform, especially in the name of "UX", which is
supposed to be (and is) their differentiator.

~~~
amarshall
Except Zoom isn’t available via the Mac App Store, so there’s no ToS for them
to have broken.

------
cpncrunch
My Macbook pro froze this morning...the mouse moved, but I couldn't interact
with anything. After a few mins, I hard rebooted it, and it worked fine after
that. I'm not sure if it was related to this update, but it's the first time
that this has ever happened, so it's a little bit of a coincidence.

~~~
Ambroos
This has been widespread for the last week and a half, but nobody knows why.
Unrelated to zoom.

~~~
cpncrunch
Looking at my logs, I see a gpu reset at the time the problem occurred:

Event: GPU Reset RCS Ring is: - busy - in the ring <\-- Appears hung

I suspect the automated GPU reset didn't quite work, as nothing wasn't
redrawing properly.

