Apple's sent out a quiet security update to Mac computer users two days after a security researcher detailed a security flaw in the web conferencing software maker Zoom's software that could remotely turn on a person's webcam. That server stays active and listens on port 19421 even if someone uninstalls Zoom. This generally involves someone sending a unique link to someone over the web, which they can click to join a meeting.
According to Leitschuh's claims earlier this week, even if Mac users uninstall the Zoom app from their system, the web server continues to persist and it can reinstall Zoom without the user's permission. Uninstalling zoom could allow the web server to remain on your device, which means that the vulnerability is still there.
If a user has ever installed the Zoom client and then uninstalled it, the Mac still has a localhost web server that will re-install the Zoom client, without requiring any user interaction besides visiting a webpage. Gray reported that Leitschuh likely nearly came close to finding a remote-code execution vulnerability affecting the local web server.
Leitschuh wrote that Zoom had failed to heed his warnings for months and only implemented a partial fix at the last minute, while the company told ZDnet on Monday the technique was a "legitimate solution to a poor user experience" in due to changes in Safari 12 (namely, a privacy protection feature that forced users to verify they actually wanted to launch Zoom). Security best practices generally recommend public disclosure of major threats or vulnerabilities within a 90-day period, and the blog post suggested the company had not acted in a timely manner to protect its customers.
Zoom says in a statement on Wednesday that it worked with Apple to get rid of the web server from Macs. We take full ownership and we've learned a great deal. Farley told the Verge, "Our original position was that installing this [web server] process in order to enable users to join the meeting without having to do these extra clicks - we believe that was the right decision".
Leitschuh declined to participate in Zoom's private bug bounty program because its terms bounded him to not discuss the issues publicly after patching. That's not a security concern.