Apple update kills off Zoom web server

Zoom CEO says company misjudged the situation that has rolled into its third day.
Written by Chris Duckett, Contributor
(Image: Zoom)

Apple has fired an update to Mac users that ensures Zoom's controversial web server on Mac computers is no more.

"Apple issued an update to ensure that the Zoom web server is removed from all Macs, even if the user did not update their Zoom app or deleted it before we issued our July 9 patch," Zoom founder and CEO Eric Yuan wrote in a blog post.

"Zoom worked with Apple to test this update, which requires no user interaction."

The company added in a statement that Apple's background update was the "most full-proof way to get this done".

Yuan also said his company took "full ownership and we've learned a great deal" from the saga that began when security researcher Jonathan Leitschuh contacted the company in March.

"We misjudged the situation and did not respond quickly enough -- and that's on us," Yuan wrote.

On Tuesday, Zoom defended the use of the server, saying to ZDNet in a statement that it was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator".

By Wednesday, that differentiator was reduced, as the company announced in a highly-updated blog post that it would walk back its local web server support in a patch prepared for Tuesday night.

The company told ZDNet on Wednesday, the change of course was in response to customer feedback, not security concerns.

"There was never a remote code execution vulnerability identified. Zoom decided to remove the web server based on feedback from the security community and our users," it said.

"Even for those who did not upgrade, Zoom will not use the local web server to join meetings automatically anymore as we have disabled it on our backend."

Patrick Gray reported on his Risky Business podcast on Wednesday that a third-party bug bounty program had found a remote code execution vulnerability in the server.

Leitschuh said the use of the local server was a fundamental security vulnerability, and sites should not communicate with applications in such a fashion.

"Let me start off by saying having an installed app that is running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me," he wrote.

"Secondly, the fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me as a Security Researcher."

As well as releasing an update to kill off the web server on Wednesday, the company is also planning to release an update on July 12 that will save a new user's preference for whether to enable video by default or not.

Despite the mishandling of the incident, Zoom's share price has continued to rise throughout the week, sitting at $92.72 a share at the time of writing, up 2% on the day.

Related Coverage

Zoom reverses course to kill off Mac local web server

Less than a day after backing its approach to get around Safari restrictions on Mac, Zoom's local web server is no more.

Zoom defends use of local web server on Macs after security report

Local web server will also reportedly reinstall Zoom if a user removes the application and joins a meeting.

What Zoom's IPO says about the video collaboration space

The success behind Zoom isn't that surprising. Perhaps the big question is this: How did a bevy of large technology giants blow it in the video collaboration market.

Zoom's IPO opens at an eye-popping $65 per share

The cloud enterprise video communication company drummed up major market excitement as a Silicon Valley unicorn that has actually turned a profit.

Zoom reports strong Q1, ups outlook, adds to swelling customer base

Zoom's IPO was hot and the company's first quarter results weren't far behind.

Editorial standards