Hacker News new | past | comments | ask | show | jobs | submit login

This is untrue. The update process was part of Xprotect, the malware definition/signature system built-into macOS that's part of Gatekeeper [1]. It dates back to Mac OS X 10.5 Leopard and was expanded on Mac OS X 10.6 Snow Leopard (the Gatekeeper GUI was introduced in OS X 10.8 Mountain Lion and back ported to Mac OS X 10.7.5 Lion). Updates were historically issued via minor OS updates, but Apple started to do silent updates to the Xprotect definition list a number of years ago, as a way to target popular/growing strains of malware (which were often installed via cracked apps).

There were a few instances in the last few years where the repos or built-in update systems of legitimate programs were compromised and bundled malware (and in one case, ransomware) along with their apps. In those cases, Apple also silently updated XProtect to remove the malware.

In this case, just because this was a webserver and not something more traditional like a trojan doesn't mean that it isn't still malware. The Risky Business podcast asserted the existence of the RCE before Apple jumped into action that it says Zoom knew about for months. Given that the only way to remove the webserver is to update Zoom (something that won't help any user that has already uninstalled Zoom, which kindly left the insecure webserver behind), this type of update makes perfect sense -- especially since Zoom itself is removing the server from its own application bundle.

This was malware, pure and simple. It wasn't third party software. It was malware left behind/included with a third-party app. It's not as if Apple removed the Zoom app -- it removed the piece of malware Zoom was including alongside its app. The fact that Zoom was including this malware as a way of bypassing Apple's access control in Safari (God forbid the user have to click a button confirming they want to open a meeting) is beside the point -- this was malware.

Additionally, users can turn off the auto system updates and they can disable Gatekeeper entirely.

I understand the broader concern of an OS maker being able to remove files a user chose to install -- but this is a very unambiguous case of malware. Just because the RCE wasn't actively exploited doesn't mean it wasn't malware.

[1]: https://en.wikipedia.org/wiki/Gatekeeper_(macOS)

I understand why Apple did it and the additional context you provide does change my opinion somewhat in Apple's favor, but I disagree about Zoom being malware because malware is made in bad faith to introduce functionality the user never intended to use.

What Zoom did was negligent and incompetent, but I don't see that there was malicious intent. I do agree, however, that what they tried to do is unacceptable even if implemented competently.

I think when you refuse to address a reported security issue related to something you installed (without the users knowledge and without a way for the user to easily remove) as a way to bypass an access control pop-up, and cite that it’s a feature not a bug, until forced by the public/other disclosures to remove it, The intent is malicious.

But even if it weren’t — and we can agree to disagree on the intent — the second the RCE is popped, it becomes a massive security issue and it becomes traditional malware. As I said, I’m convinced Apple would do the same thing if this was something left behind or associated with Java or Flash.

Malicious intent is the only thing that separates malware from a regular security issue. So if we disagree on intent we have to keep disagreeing on whether or not it's malware.

But I will admit that I'm starting to see the question of Zoom's intent a bit differently after thinking about what you have said.

Lying to users about the uninstallation is pretty icky intent. It's weird to make this about the sanctity of user choice and just repeatedly ignore that bit on top of coming up with a throughly inaccurate narrative about the nature of Apple's response.

I didn't ignore that bit. You didn't bring it up in your responses to me.

Instead you defended Apple fixing security issues in third party software (as I understood it without user consent) and you compared any concerns about that with concerns about buses intentionally running over pedestrians.

So apparently our debate took wrong turn and that wasn't entirely my fault although I will take some of the blame.

I agree that Zoom's intent (and even more so their methods) is icky. So perhaps we should have focused on that, because I can understand the reasoning that this makes Apple's actions look far more justified than I initially thought.

It's not.. it is malicious. They want to circumvent os/browser behavior / user protection (the prompt to open zoom). To hack around this they install malware to get things done. It is exactly the same as using doing something that wouldn't pass the appstore checks.

It is actually very competent of them, except for the security part.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact