By John Gruber
Endpoint security for teams that value privacy, transparency, and employee productivity. Try Kolide for free today!
The fallout from Zoom’s massive webcam vulnerability continues. In a report published today, security researcher Karan Lyons shows that the same flaw — which gave attackers easy access to laptop cameras and microphones — affects RingCentral, which is used by over 350,000 businesses, as well as Zhumu, essentially the Chinese version of Zoom.
On July 16, Apple confirmed that it had released another silent update to Macs patching the vulnerability affecting Zoom’s partner apps. The update, which went out this morning, requires no user action, but may take some time to roll out to all impacted Macs. Lyons tweeted that Apple’s latest update takes action on 11 different apps, all vulnerable to the Zoom webcam flaw.
So here’s an interesting question. I’ve been using the phrase “nonconsensual technology” to describe Zoom’s invisible web server that remained installed and running even after you deleted the Zoom app. But when Apple first issued a silent, emergency system update to remove Zoom’s software, a few DF readers emailed or tweeted to ask: Isn’t this “nonconsensual technology” too?
Clearly, the answer sounds like yes at first. Users get no indication of the update, and “requires no user action” makes it sound like it’s mandatory. But there is a setting to control this, allowing Mac users to disable the automatic installation of such updates. On MacOS 10.14 Mojave, it’s in System Prefs → Software Update → Advanced (screenshot); on 10.13 High Sierra, it’s in System Prefs → App Store (screenshot). In both versions, the checkbox is labeled “Install system data files and security updates”, and resides at the bottom of the section that controls what gets installed automatically.
This option is enabled by default — even if you choose to install regular system updates manually — which is why the vast majority of Mac users are getting these “silent” updates automatically. But if you disable this option, even these silent updates won’t be installed automatically. I confirmed this with an Apple spokesperson, who emphasized that Apple only issues such updates “extremely judiciously”. Any pending security updates will be installed the next time you manually update software.
I think Apple has struck a nearly perfect balance here, between doing what’s right for most users (installing these rare emergency updates automatically) and doing what’s right for power users who really do want to control when updates — even essential ones — are installed. I also think Apple is doing the right thing by going to the press and explaining when they issue such updates. If I could tweak anything, it would be to have these updates show up in the regular list of pending software updates if you have “Install system data files and security updates” turned off.