
Tell HN: Cisco WebEx on OS X uses the same pre-installer tricks as Zoom - mmastrac
I noticed while installing WebEx today that the installer immediately terminated itself after popping up the pre-installation script.<p>Running `strings` on the installation plugin (CWSPkgPlugin.bundle) shows why - it&#x27;s using a similar process to what Zoom does [1]<p><pre><code>  +[CWSUtilBase unzip:to:]
  &#x2F;usr&#x2F;bin&#x2F;unzip
  Clean up temp unziped app done: %i
  unzip:to:
  [...]
  Cisco Webex pkg plugin, begin init work.
  Install CWS result: %i
  Launch CWS result: %i
  Terminate installer: %@
  Terminate self: %@
  [...]
  &#x2F;usr&#x2F;sbin&#x2F;lsof
  forceTerminate
</code></pre>
Previously discussed here: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=22736608" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=22736608</a><p>[1] <a href="https:&#x2F;&#x2F;www.imore.com&#x2F;zooms-preinstallation-script-workaround-macos-very-shady" rel="nofollow">https:&#x2F;&#x2F;www.imore.com&#x2F;zooms-preinstallation-script-workaroun...</a>
======
atarian
The founder of Zoom used to work at WebEx before it was acquired. Wouldn't be
surprised if he brought along some WebEx folks as well.

~~~
cwilkes
I would love to see a lawsuit about stolen malware IP.

~~~
ddrt
Is it officially considered malware by apple? If so... feds don’t screw about.
Those guys could be in serious trouble.

~~~
vermilingua
Well then they’re lucky that law enforcement has a _slightly_ more involved
process to determine criminality than checking Apple’s malware filter list.

~~~
abduhl
But _should_ they?

~~~
some_random
Yes, I've always been a fan of not giving corporations the right to have
people arrested and imprisoned without due process

------
diebeforei485
No wonder their uninstallation instructions[1] are hilariously complicated.
They somewhat-helpfully point to an actual separate uninstaller package to
download, but it doesn't even remove all the things mentioned on this page.

1\. [https://help.webex.com/en-us/WBX38280/How-Do-I-Uninstall-
Web...](https://help.webex.com/en-us/WBX38280/How-Do-I-Uninstall-Webex-
Software-on-a-Mac)

~~~
whatsmyusername
What's real great is they didn't notorize the app. So on Mac you have to
individually allow about 30 java bits in a row.

~~~
slenk
Yes - holy crap is it annoying. I found the best way was to only launch
meetings from their desktop client :S

------
Jonnax
I was surprised that when I ran a WebEx exe on windows to join a meeting,
after the meeting concluded a window appeared with my calendar information
pulled from outlook.

It really highlights how on desktop apps can do what they like. Whilst on
mobile platforms at least you have to grant specific access.

~~~
duxup
I'll admit as a web dev I sometimes take some of the "omg JavaScript" a little
personally. Some of the usual pile on articles (granted their complaints
aren't technically 'wrong') sometimes imply the browser is a bad place for a
lot of things that are happening there privacy wise and etc.

I always wonder ... "Uh, do you want platform specific desktop apps? You're
not much better protected there man... and app availability becomes limited /
a pain."

~~~
lonelappde
There's no fundamental technical reason why apps can't run as their own users
(like apache and postgres have done for 20 years) and and use something like
oauth to control sharing data with other apps. Just laziness.

~~~
duxup
I'm kinda lost on the comparison between postgres and... web applications?

~~~
philtar
He's comparing postgres to normal desktop application.

------
monadic2
Why do these apps require installers at all? What are they
installing—presumably any of their proprietary tech can run in userspace
unprivileged.

Personally, my best guess is because that’s the flow the product manager
expected.

~~~
ryandrake
The standard way to install an application on the Mac is to simply drag it
into the Applications folder. That’s what is expected by users. For the vast
majority of applications this should be enough. Whenever I see a Windows-style
“installer” the first thing I think is... what kind of shenanigans are going
on?

~~~
izacus
This standard way doesn't work in corp environments (which WebEx and Zoom are
targeting primarily), where machines are remotely provisioned. For decent
macOS remote installs and updates you need the PKG format scripts.

~~~
monadic2
What is so hard about remotely provisioning app bundles in a standard place? I
ask because I have been tangentially involved in both image and script based
provisioning and interacting with PKGs would seem to complicate, not simplify,
both processes.

~~~
mschuster91
It's the processes. Every update will have to go through change requests,
loads of approvals, ...

------
fiddlerwoaroof
I still don’t understand the issue with this: it’s not using this feature as
intended, but they’re not exploiting any vulnerabilities or attempting to
exploit a privilege escalation bug in macOS. Apple’s installers allow these
scripts to do anything (and I believe there’s a prompt along the lines of
“this installer will run a script to determine if the package can be
installed”).

~~~
berti
> “this installer will run a script _to determine if the package can be
> installed_”

Why would the user expect that script to install the application, or even
modify their system in any way?

~~~
californical
The fact that Apple allows an application to be installed in this step is an
issue with Apple's design.

~~~
saagarjha
It’s a script, though; should they sandbox the preinstall phase? That would
break most packages.

~~~
steerablesafe
Instead of silently breaking they could have a popup like "Do you allow the
preinstall script to write into /this/folder?" on a write operation outside of
the sandbox.

~~~
the_pwner224
99% of users will have no fucking idea what that means. They will either click
'Allow' (which makes this feature useless for 99% of people) or contact tech
support (adds friction to installation, which is bad especially for
conferencing software) or just give up and not use the product (which is bad
for the company).

~~~
catalogia
To be fair, it would at least ruin Zoom's incentive to do any of this, since
they wanted a streamlined process that prompts the user less.

Why they didn't just use a dmg that has you drag the application into
/Applications/ is something I still don't understand though. Surely that is
the simplest most user friendly way to have non-technical users install
applications without using the appstore.

------
rayymlai
The zoom guys are ex-WebEx guys. I saw the same zoom-bombing problem in WebEx
few years back. we just enforce adding passcode/PIN to each meeting to
remediate customer escalation.

------
Cthulhu_
Why aren't more apps like Zoom and this one distributed via the app store? I
mean besides the installer hackery they are legitimate and free apps right?

Or would that mean that their premium services would require paying the fees
to Apple, which they avoid this way?

~~~
adwww
Can you even use the app store with a company mac? Who has the login - your
personal account or some corporate one?

~~~
berdario
Good question, I think it should be the corporate one, and even if it might be
a bit more work to setup, it's definitely in the company's interest, since
then the applications that are installed can be sandboxed and be
vetted/whitelisted more easily.

~~~
xnyan
App Store is disabled on my enterprise mac, same for my last job. I think it's
fairly common.

~~~
adwww
Same as mine, but I didn't know if it was common or not.

------
x0x0
Everyone who's spent 3 hours talking a parent through downloading and
installing a Zoom client understands exactly why they're doing this. Mine are
unable to (1) reliably download a zip file; (2) navigate to that file using
Finder; (3) run something inside it.

By the time we were done -- I use copilot (basically VNC with NAT punching
built in) -- and I got control of the laptop to just do it myself, there were
7 downloads and 4 unzip attempts.

My MIL and I have literally had facetime pointed at her laptop while I
directed her where to to get copilot running for the quarterly cleansing-of-
the-spyware.

~~~
sigjuice
They need to do the work to get on the Mac App Store

~~~
gamegod
The Mac App Store is a trap - The sandboxed APIs are severely limited, and no
large company is going to let Apple get even more in-between them and their
customers.

~~~
ken
First, they can use the sandbox without going through the Mac App Store.
Sandboxing is a good idea regardless of distribution method. That would
improve security for everybody, without needing to 'let Apple get in between
them and their customers'.

Second, Zoom already runs sandboxed for the other two ways you can run their
client on Apple operating systems: the (iOS) App Store and the web. The Mac
sandbox is the least strict of the three. So whatever they do, it doesn't seem
to be hindered by 'severe limitations'.

I have yet to hear any feature that a legitimate videoconferencing application
would need that would be disallowed by the macOS sandbox. Lots of other video
chat apps are on the Mac App Store, like Facebook Messenger. Is the issue
simply that Zoom is being sketchy and wants to continue to be sketchy, and
sandboxing would not allow them to? That's not because the MAS is 'a trap'.
That's its main feature.

~~~
damnyou
The issue is not technical. It is political. Apple is arbitrary and
capricious, and no one sensible wants every update to their software to be
held hostage to Apple's whims. Large companies like Facebook can cut special
deals.

------
wfbarks
I hate it when the software I am trying to use installs itself on my computer
after I click on it.

------
Saaster
I work in a tech company. The number of people you see who have their desktop
filled with permanently mounted DMGs, launching their apps by opening said DMG
and launching their trusty old Chrome version 53 by double-clicking the icon
would blow your mind.

Users don't use your software as you would like them to. Zoom now requires ~4
clicks to update when a new version is released as you click through the
installer steps. You _have_ to click the single frickin' disk icon (which is
the only disk 99.9% of Apple users are going to have... still you have click
on it) in one of the steps for the Next button to activate. Result: I fully
expect a large percentage of the users to never update their Zoom successfully
again. Great win for the users, the software which you downloaded, then
clicked to install, no longer executes that scary pre-install script.

~~~
KORraN
Not sure about what clicking disk icon you are talking about, but today's
update showed up as regular pkg installer ("Next", "Next", "Accept",
"Finish").

~~~
Saaster
Chrome uses an DMG, and the result is that people are using ancient versions
of it straight out of their Downloads or Desktop folders.

Zoom uses an .pkg, and have now removed the one-click install script. So every
update to Zoom now runs through the same multi-step Next process as well (with
one of the steps inactive until you select your disk, as is customary). If you
think that isn't a problem for users, you've never walked grandma through the
steps while she's trying to show her screen though the phone to you.

~~~
KORraN
I believe you that in some configurations you have to select a disk where you
want update to be installed but in my case it's selected automatically so as I
mentioned in the previous post, it's matter of clicking "Next" buttons.

------
qwerty456127
I believe this is not hard to detect. Apple should detect this and report such
an installer as particularly risky. Chances are the majority of installers
working this way actually are malware, legitimate apps like Zoom and WebEx
probably are exceptions.

~~~
thu2111
That's extremely unlikely.

Malware on macOS isn't prevalent. There is no market for anti-virus vendors on
macOS, and Apple have been repeatedly tightening the approval process for
macOS software. Gatekeeper only ever gets _more_ aggressive, not less.
Meanwhile videocall software is widespread, it's rapidly become a necessity
for a large part of the world's population. I wouldn't be surprised if on
macOS it's now in second place as a category behind web browsers.

No.

What Apple should, MUST do as quickly as possible, is understand and react to
what developers here are trying to tell them - the usability of macOS software
installation is terrible and no, the App Store is not an acceptable
alternative. macOS software install UX is worse than Windows. It's worse than
Android and iOS. It's better than Linux but that doesn't say much.

If Apple want to end these practices, they need to deliver:

1\. Genuine one or two-click install of software from the web, without the App
Store being involved and without requiring sandboxing, allowing install
scripts and for signed/notarised software, without any security popups. DMG
style installs require drag and drop AND device unmounting, which isn't
especially discoverable and hardly used on mobile platforms so some users
can't figure it out (hence the reliance on PKG files).

2\. Removal of the scary popup that Safari shows when a user clicks a non-http
URL.

Desktop software on macOS relies on these techniques because measuring the
ratio of number of downloads to number of successful app starts shows that far
fewer people make it through the process than they should, for instance, fewer
than on Windows. This is a bit of an open secret in the desktop software world
for many years now; Google for instance has detailed data on the problem. Each
click you add causes the success rate to drop and macOS requires far more
clicks than is justifiable. Additionally, the web server trick Zoom uses is
because otherwise some non-trivial proportion of Safari users just
automatically click cancel on the security popup when a web page tries to open
a meeting, without even reading it. They don't understand what they're being
asked or why, but figure if Apple want to double check with them it's safer to
say no. Then they fail to join a meeting and if they're an important
participant, that means the meeting fails for everyone.

Note that this usability problem is Safari-specific. On other platforms and
browsers such workarounds aren't needed.

People need to stop giving Apple the benefit of the doubt here. Videoconf
firms aren't doing this extra work because they're malicious or incompetent or
because they inexplicably like doing work. They're doing it because otherwise
a lot of Mac users fail to achieve the task they set out to do, and that hurts
the usage of the video platform. It's ultimately Apple's problem to fix.

~~~
maccard
> 1\. Genuine one or two-click install of software from the web, without the
> App Store being involved and without requiring sandboxing

I disagree with this. Why is going via the app store a bad thing? The app
store is the solution here. Zoom should be able to tell apple "Hey I'd like to
handle zoom://" links, and clicking one will redirect you to either zoom or
the app store (without the source of your link knowing where you ended up),
where you can have a one click install.

I also firmly disagree with the concept that sandboxing shouldn't be enforced.
There is _no_ reason for any software (particularly software like Zoom, Webex,
Slack) to have unfettered access to my machine,

~~~
tonypace
No company that has a choice is going to pay Apple their tax. That's why the
MacOS sure is always going to be the same as the Windows store: a home of
loser apps. Since another install procedure is available, only losers will use
the app store. Ergo, any software available through the app store is a loser
app.

~~~
codydh
And yet Microsoft Office is available via the macOS App Store, alongside
venerable packages like Adobe Lightroom and Photoshop, Logic and Final Cut
(Apple-owned software), the Omni suite of software, Autodesk software,
Pixelmator, etc.

The App Store has problems, but all apps there being "loser apps" is not one
of them.

~~~
jedieaston
You can't pay for Office through the App Store though, you have to activate it
with a personal or corporate Office 365 account. If you bought a perpetual
license, I believe you have to go get it through Microsoft regardless.

~~~
thu2111
Which is by the way against the App Store policies, so they must have cut some
special deal.

------
MR4D
Isn’t all of this because of the Historical webRTC issues in safari?

~~~
djrogers
In short, no.

~~~
MR4D
So, I was under the understanding that Safari was dragging their feet on the
whole WebRTC thing, and if they had come out with it when Chrome did, that
these types of apps would then be able to run in the browser (just like Jitsi
does today, I presume).

I know that companies have a perverse incentive to sell your info to
advertisers and such, so I'm not trying to wave that away.

Just wanting to understand if Safari DID have webRTC much earlier, would we be
talking about Zoom today?

------
badrabbit
Yeah and if webex suddenly got popular like zoom,it too will be massacared.

This stuff is common. You know how many populat windows software acts bad?
Filezilla's installer for example would literally install a very nasty strain
of adware (to their credit, they give you the option to opt-out)

------
emayljames
The answer lies in zoom making a no-fuss-one-click installer and another full-
winded-installer.

------
werber
For work we’re in the process of switching from one to the other and the join
meeting links on invites are now half functional on both. I wonder if this is
the culprit

------
Bnshsysjab
Has anyone checked that it doesn’t have the same uninstalled bugs? Namely the
remote code exec rce that dropped a few months back..

------
baxtr
On top of that, WebEx quality is way worse than zoom

------
feelapi
cisco is not from China. Zoom is from China. End of story.

------
chvid
This is not malicious. This is simply easing up the installation process. If
the files can be copied directly into applications then do so rather than
trigger a password prompt.

I would do the same.

------
alkonaut
This is apples fault. Not for not blocking it but for not making the download-
and-installed as streamlined as it needs to be. Being forced to drag something
to a folder is not the UX you expect.

~~~
Cthulhu_
Would distribution via the App Store work? I mean that is the easiest and most
trustworthy way - from a consumer's point of view - to install software.

~~~
alkonaut
App store installs are easy.

The difficult problem is making sure non-technical users can install and run
binaries from untrusted third parties in basically a single click.

Does that sound like a security nightmare? It is. But it's also the users'
expectation of "just working".

