It's like Google making an ad hoc decision to use Chrome autoupdate to silently patch a particularly bad vulnerability in Microsoft Word just because they can.
So what is the principle behind this kind of exception? It's simply this: If it's bad enough, normal rules can be suspended and anything goes. It's like declaring a state of emergency. It's not normal or mundane.
Now the question becomes what is bad enough and who gets to decide what is bad enough? People will point to incidents like this and ask questions like: Why was the San Bernardino attack not bad enough for Apple to suspend its ususal rules? Why can people store tons of pirated music on their Macs without Apple taking action? Why does Apple allow criminals to hide behind end-to-end encrypted messaging software?
If Apple has decided to take responsibility for the security of all third party software on macOS then they should say so. They should change the rules instead of breaking them in an ad hoc fashion.
Then we can all decide whether or not we want to hand total control to Apple (and to those who have control over Apple).
There were a few instances in the last few years where the repos or built-in update systems of legitimate programs were compromised and bundled malware (and in one case, ransomware) along with their apps. In those cases, Apple also silently updated XProtect to remove the malware.
In this case, just because this was a webserver and not something more traditional like a trojan doesn't mean that it isn't still malware. The Risky Business podcast asserted the existence of the RCE before Apple jumped into action that it says Zoom knew about for months. Given that the only way to remove the webserver is to update Zoom (something that won't help any user that has already uninstalled Zoom, which kindly left the insecure webserver behind), this type of update makes perfect sense -- especially since Zoom itself is removing the server from its own application bundle.
This was malware, pure and simple. It wasn't third party software. It was malware left behind/included with a third-party app. It's not as if Apple removed the Zoom app -- it removed the piece of malware Zoom was including alongside its app. The fact that Zoom was including this malware as a way of bypassing Apple's access control in Safari (God forbid the user have to click a button confirming they want to open a meeting) is beside the point -- this was malware.
Additionally, users can turn off the auto system updates and they can disable Gatekeeper entirely.
I understand the broader concern of an OS maker being able to remove files a user chose to install -- but this is a very unambiguous
case of malware. Just because the RCE wasn't actively exploited doesn't mean it wasn't malware.
What Zoom did was negligent and incompetent, but I don't see that there was malicious intent. I do agree, however, that what they tried to do is unacceptable even if implemented competently.
But even if it weren’t — and we can agree to disagree on the intent — the second the RCE is popped, it becomes a massive security issue and it becomes traditional malware. As I said, I’m convinced Apple would do the same thing if this was something left behind or associated with Java or Flash.
But I will admit that I'm starting to see the question of Zoom's intent a bit differently after thinking about what you have said.
Instead you defended Apple fixing security issues in third party software (as I understood it without user consent) and you compared any concerns about that with concerns about buses intentionally running over pedestrians.
So apparently our debate took wrong turn and that wasn't entirely my fault although I will take some of the blame.
I agree that Zoom's intent (and even more so their methods) is icky. So perhaps we should have focused on that, because I can understand the reasoning that this makes Apple's actions look far more justified than I initially thought.
It is actually very competent of them, except for the security part.
I don't see anything in the article that suggests this - as I read it, it pretty much says the opposite. What else have you read that outlined these rules and the exception Apple made?
As far as I know, there is no system-wide update mechanism for third party software not distributed through the Mac App Store that does not require any user interaction. So apparently they (ab)used the system update mechanism.
Zoom is clearly not malware. It just has a bug. Is updating regular third party software documented behaviour of macOS? If so then I agree that it is not abuse. Otherwise Apple has some explaining to do.
That is not a bug
The problem is that Apple appears to have made an exception to its own rules in this particular case. If I understand correctly, they used a first party system update mechanism to change third party software.
I don't think any of these are established facts and I don't understand how you, a fellow fact-fancier, haven't acknowledged that before breezily moving on to a discussion of the precise definition of the term 'malware'.