Apple pushes out another emergency security update to fix videoconferencing vulnerabilities

Having released a silent update last week to protect Zoom users from webcam hijacking, Apple has now pushed out a second security patch that is silently installed in the background.

This second patch addresses issues with the RingCentral and Zhumu videoconferencing tools. These apps suffered from a very similar vulnerability, putting users at risk, so Apple has stepped in once again to neutralize the problem.

See also:

• Apple and Zoom push out updates to remove potentially privacy-invading web server
• Zoom for Mac has a security hole that means your webcam could be turned on without permission
• Apple's 2019 MacBook Air is significantly slower than last year's model

The RingCentral and Zhumu videoconferencing apps are white label partner apps that use Zoom technology, so it's little wonder that much the same security issue has been found in them. It was security researcher Karan Lyons who first drew attention to the fact that the vulnerability existed in more than just the main Zoom app.

RingCentral (and Zhumu, and likely all of Zoom’s white labels) are vulnerable to another, slightly different, RCE. They are not automatically removed by Apple.

CVE-2019-13576 & CVE-2019-13586

Follow these instructions to protect yourself: https://t.co/FVkyBM1efB pic.twitter.com/c66hvGb1wm

— Karan Lyons (@karanlyons) July 15, 2019

As with Zoom, the partner apps also install a web server that can be used to hijack webcams. Uninstalling the apps is not enough to remove the server, meaning even people who have removed the videoconferencing tools remain at risk. Apple's latest update kills this server.

Zoom technology is used in a number of other apps, as noted by Lyons, and Apple has not said whether further updates will be released to patch these as well.

Image credit: Stockforlife / Shutterstock