Apple Releases macOS Fix to Plug Zero-Day Flaw Exploited by the “XCSSET” Malware
Last updated September 21, 2021
Apple is showing the world how a company should move quickly and do the needful when it comes to protecting the privacy of its users. More specifically, the company has pushed a silent Mac update that removes the Zoom web server that stays in the system even after a user uninstalls the popular conference software, and disabled their own “Walkie Talkie” app on the Apple Watch following concerns of a possibility for eavesdropping. While Apple has been criticized for its slow response on other occasions, this time, we have to give it to them.
A couple of days back, we tapped into the problem with Zoom, and how a researcher’s proof of concept code revealed that the Zoom could be launched onto a Mac with the camera activated, and even cause a DoS condition on iPhone. One of the critical parts of achieving this for the attackers would be to take advantage of a remnant localhost web server that stays in the system even after the deletion of Zoom and can re-download the client without asking the user. While Zoom did try to do something about this, they only limited their fix to adding a prompt that would ask the user to select if they want their camera to be activated when joining a meeting or not.
Apple decided that this wasn’t enough to protect their users, so they have pushed a silent update that removes the web server and will also prompt the users to select if they really want to open the app instead of just letting this happen automatically. This prevents both the downloading of the client and the forcibly joining on a meeting for the user. Thus, there can be no exploitation of the exposed vulnerability on the Mac anymore.
On the Apple Watch, the company has disabled the Walkie Talkie app due to an undisclosed vulnerability that would allow an attacker to listen to another customer’s iPhone without asking for that person’s consent. Apple apologized for having to remove the app that was used by quite a lot of people who enjoyed it very much, and promised that the removal is only temporary, so Walkie Talkie will be back once it’s fixed. Thankfully, this comes before the vulnerability was exploited in the wild, so we have another case of a timely discovery and proactive fixing.
Do you trust Apple to take care of your privacy, or do you prefer to use a different vendor? Let us know where you stand in the comments down below, or join the discussion on our socials, on Facebook and Twitter.