Zoom has addressed a bug that could have resulted in unrestricted access to macOS systems.
Zoom versions 5.7.3 to 5.11.5, according to an Aug. 13 security bulletin(Opens in a new window), contain an auto-update vulnerability that could be exploited by a local low-privileged user to gain unrestricted access to Apple’s operating system. The flaw, discovered by Mac security expert Patrick Wardle at last week’s DefCon, has been fixed in Zoom version 5.11.5, which is now available.
According to The Verge, the exploit targets the Zoom installer, which requires a user password when first installed (Opens in a new window). Wardle, on the other hand, discovered that by using Zoom’s cryptographic signature, an auto-update function running in the background could be tricked into embedding malware. A hacker can modify, delete, or add files to the device once inside the system.
“I was curious about how they were setting this up,” Wardle told Wired(Opens in a new window) prior to his DefCon presentation. “And when I looked, it appeared on first glance that they were doing things securely—that they had the right ideas.” However, upon closer inspection, the code’s quality was suspect, and it appeared that no one was thoroughly auditing it.
Wardle praised Zoom on Twitter (Opens in a new window) for its “incredibly quick fix.” Wardle notes that when evaluating the patch, the “Zoom installer now invokes lchown to update the permissions to the update.pkg, thus preventing malicious subversion.”
Sign in to the Zoom desktop client, tap your profile picture, and then select Check for updates to install the 5.11.5 update on your Mac. If a newer version is available, Zoom will download and install it.
Another security researcher demonstrated how he used Zoom’s technology underlying other applications to completely control a target’s computer at last week’s Black Hat security conference. Patches have also been released to address this vulnerability.