Apple’s stealth Mac security update removes flawed software, report says


Apple reportedly released a quiet Mac security update to amend a vulnerability in Zoom’s partner apps.

Sarah Tew/The Techy Trends

Apple quietly rolled out a Mac security update to remove flawed software from Zoom partner apps RingCentral and Zhumu, according to a BuzzFeed News report. The update will reportedly roll out automatically but could take some time to reach all affected computers. 

RingCentral and Zhumu are video conferencing apps that use technology from Zoom. Last week, security researcher Jonathan Leitschuh flagged a Zoom security flaw that allowed websites to join users to video calls without permission and activated Mac webcams without permission. In response, Zoom rolled out a patch in which the company completely removed the local web server on Mac devices. The feature was designed to facilitate joining meetings without extra clicks.

A report from security researcher Karan Lyons published Monday found that Zoom’s flaw affected partner apps. Lyons said in a tweet Tuesday that Apple’s Mac security update affects 11 apps that were vulnerable to the flaw.

In a statement, RingCentral said it “recently learned of video-on vulnerabilities in RingCentral Meetings software and we have taken immediate steps to mitigate these vulnerabilities for any customers who could be affected.” As of Tuesday, the company says, RingCentral isn’t aware of any customers who were impacted by the vulnerabilities. It’s keeping customers updated via an article on its support page, and security and engineering teams are monitoring the situation.

Last week, Apple sent out a silent update for Macs which removed a feature that quickly connected people to conference calls. The company reportedly said that measure would protect current and previous users from the vulnerability without impacting the Zoom app’s functionality. As part of that update, users will now be asked if they want to open the app rather than having it open automatically. 

Apple didn’t immediately respond to a request for comment. Zhumu couldn’t immediately be reached for comment.

Originally published July 16 at 1:24 p.m. PT.
Update, 2:06 p.m. PT: Adds comment from RingCentral.