If you’re using Zoom on a Mac, it’s time for a manual update. The video conferencing software’s latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installation powers, granting increased privileges and system control.
The vulnerability was first discovered by Patrick Wardlefounder of the Goal-See Foundation, a non-profit Mac OS security group. Wardle detailed in a talk at Def Con last week how Zoom’s installer asks for a user password when installing or uninstalling, but its auto-update feature, which is enabled by default, does not require it. Wardle discovered that Zoom’s updater is owned by the root user and runs as the root user.
This seemed secure, as only Zoom clients could connect to the privileged daemon, and only Zoom-signed packages could be checked out. The problem is that by simply passing the verification checker the name of the package it was looking for (“
Zoom Video ... Certification Authority Apple Root CA.pkg“), this check could be bypassed. This meant that malicious actors could force Zoom to downgrade to a more buggy and less secure version or even hand it an entirely different package that could give them root access to the system.
Wardle disclosed his findings to Zoom ahead of his talk, and some aspects of the vulnerability were addressed, but key root access was still available during Wardle’s conference on Saturday. Zoom released a security bulletin later the same day, and a patch for Zoom version 5.11.5 (9788) followed soon after. You can download the update directly from Zoom or click on your menu bar options to “Check for Updates”. We don’t suggest waiting for an automatic update, for several reasons. (Update: Clarified Wardle disclosure and update schedule).
Zoom’s software security record is spotty and at times downright scary. The company settled with the FTC in 2020 after admitting that it lied for years about offering end-to-end encryption. Wardle previously disclosed a Zoom vulnerability that allowed attackers steal Windows credentials by sending a text string. Before that, Zoom was caught run an entire webserver without papers on maccausing Apple to release its own silent update to kill the server.
Last May, a Zoom vulnerability that allowed a click-free remote code execution used a similar demotion and signature verification bypass. Dan Goodin from Ars noted that his Zoom client was not updated when the fix for this issue arrived, requiring a manual download of an interim release first. Hackers can quickly take advantage of exposed Zoom vulnerabilities, Goodin noted, if Zoom users aren’t updated immediately. Minus root access, of course.