If you’re using Zoom on your Mac, it’s time to update it manually. The latest update of video conferencing software fixes an auto-update vulnerability that could have allowed malicious programs to use its advanced settings, grant privileges, and control the system. system.
The security hole is first discovered by Patrick Wardlefounder of Objective-See organization, a non-profit Mac OS security group. Wardle detailed in a talk at Def Con last week how Zoom’s installer asks for a user password when installing or uninstalling, but its auto-update function, enabled by default, does not require a password. Wardle noticed that Zoom’s updater is owned and run as the root user.
It seems secure, as only Zoom clients can connect to the privileged daemon, and only packages signed by Zoom can be extracted. The point is to simply pass the verifier the name of the package it’s looking for (“
Zoom Video ... Certification Authority Apple Root CA.pkg“), this check could be bypassed. That means malicious actors could force Zoom to downgrade to a less secure version, or even pass it a completely different package that could grant give them root access to the system.
Wardle disclosed his findings to Zoom prior to his talk, and some aspects of the vulnerability have since been resolved, but primary root access is still available as of Wardle’s talk on Saturday. Zoom has released a security bulletin later that day, and a patch for Zoom version 5.11.5 (9788) was released shortly thereafter. You can download updates directly from Zoom or click your menu bar option to “Check for updates.” We recommend that you do not wait for automatic updates, for a variety of reasons. (Update: Wardle reveal and update timings clarified).
Zoom’s software security record is clear — and at times, downright terrifying. The company settled with the FTC in 2020 after admitting that it lied for years about providing end-to-end encryption. Wardle previously disclosed a Zoom vulnerability that allowed attackers steal Windows credentials by sending a text string. Before that, Zoom was arrested run an entire web server with no documents on a Maccaused Apple to release its own silent update to kill the server.
Last May, a Zoom vulnerability triggered a zero-click remote code execution used the same method of bypassing signature checks and downgrading. Ars’ Dan Goodin notes that his Zoom app doesn’t actually update when a fix for that issue arrives, requiring manual download of the intermediate version first. Goodin noted that hackers can take advantage of exposed Zoom vulnerabilities quickly if Zoom users are not updated immediately. Except for root access, of course.