Apple pushes out another emergency security update to fix videoconferencing vulnerabilities
This second patch addresses issues with the RingCentral and Zhumu videoconferencing tools. These apps suffered from a very similar vulnerability, putting users at risk, so Apple has stepped in once again to neutralize the problem.
- Apple and Zoom push out updates to remove potentially privacy-invading web server
- Zoom for Mac has a security hole that means your webcam could be turned on without permission
- Apple's 2019 MacBook Air is significantly slower than last year's model
The RingCentral and Zhumu videoconferencing apps are white label partner apps that use Zoom technology, so it's little wonder that much the same security issue has been found in them. It was security researcher Karan Lyons who first drew attention to the fact that the vulnerability existed in more than just the main Zoom app.
RingCentral (and Zhumu, and likely all of Zoom’s white labels) are vulnerable to another, slightly different, RCE. They are not automatically removed by Apple.
CVE-2019-13576 & CVE-2019-13586
— Karan Lyons (@karanlyons) July 15, 2019
As with Zoom, the partner apps also install a web server that can be used to hijack webcams. Uninstalling the apps is not enough to remove the server, meaning even people who have removed the videoconferencing tools remain at risk. Apple's latest update kills this server.
Zoom technology is used in a number of other apps, as noted by Lyons, and Apple has not said whether further updates will be released to patch these as well.