Update 7/16: Apple has issued two more silent updates to macOS that address other apps that may be using Zoom's localhost server.
Apple is taking further action to shut down Zoom servers that may be running on your Mac without your knowledge . A week after Zoom released a patch for its Mac app that removes a localhost web server from your Mac and allows users to manually uninstall the app from the menubar (you can download that patch here), Apple has issued its second and third updates to shut down servers running in the background.
The updates address a similar issue with the RingCentral and Zhumu apps, which use Zoom's technology.
In a Medium post on July 8, security researcher Jonathan Leitschuh disclosed a vulnerability in the Zoom app that could allow a website to access your Mac’s camera without your knowledge or permission. As Leitschuh explained, the vulnerability seemingly stemmed from Zoom’s quest for simplicity. As the service works, you can just send anyone a Zoom meeting link which will in turn automatically open the Zoom client installed on their machine. In case you’ve deleted the app, Zoom keeps a localhost web server running silently on your Mac, Leitschuh said, so the Zoom client will reinstall when a link is clicked without requiring any user interaction on your behalf besides visiting a webpage.
As Zoom explained, changes implemented by Apple in Safari 12 that "require a user to confirm that they want to start the Zoom client prior to joining every meeting" disrupted that functionality. So in order to save users an extra click, Zoom installed the localhost web server as “a legitimate solution to a poor user experience problem.” While the company claims that it has no evidence of a Mac being subjected to a DOS attack, which it describes as a “empirically a low risk vulnerability,” it also announced it will be implementing a public vulnerability disclosure program within the next several weeks.
But even beyond the practice of surreptitiously running a localhost web server on hundreds of thousands of Macs around the world, Leitschuh unearthed a vulnerability that “allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission … and would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.”
Leitschuh says Zoom dragged its feet on disclosing the vulnerability after being contacted in March, having only implemented a “quick fix” in late June. However, after he published the Medium post Monday, the company responded with a workaround rather than a true fix: “In light of this concern, we decided to give our users even more control of their video settings. As part of our upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting. This change will apply to all client platforms.”
However, all that changed when the story began getting traction among Mac enthusiast sites. Late Tuesday, the company released a patch that both removed the localhost web server and allowed users a way to permanently delete the Zoom app after calling the issue an "honest oversight."
Disable the Zoom localhost web server manually
If you want to permanently disable the localhost web server from running on your Mac without installing the update, you'll need to take a visit to the Terminal and type the following:
pkill ZoomOpener;rm -rf ~/.zoomus;touch ~/.zoomus &&chmod 000 ~/.zoomus;
pkill "RingCentralOpener";rm -rf ~/.ringcentralopener;touch ~/.ringcentralopener &&chmod 000 ~/.ringcentralopener;#