Zoom has just patched a macOS bug that allowed hackers to take control of a given device’s operating system through the platform – but another bug remains live, according to the security researcher that discovered it.
Users who have not updated their software could still be at risk of having their macs infiltrated via both exploits.
Since the pandemic, companies across the globe have turned to Zoom to facilitate collaboration in remote working environments, with its 300 million-strong active user base an appealing target for hackers.
macOS users with the Zoom client installed have been advised by the company to update their systems as soon as possible.
Security Issues Escalate Quickly
The flaw in Zoom’s system, tracked as CVE-2022-28756, theoretically allows a hacker to gain control of a computer’s entire operating system, post-exploit.
The issue was discovered by Patrick Wardle of the Objective-See Foundation, a non-profit that creates security tools for devices running macOS. He revealed the existence of the bug to the public at the Def Con hacking conference in Las Vegas last Friday.
The vulnerability stems from the installer for Zoom, which requires users to grant the application an all-access pass for updates, in order to run on a Mac.
The installer asks a user to input their password when the application is added to a given system. However, after this, it sets the app up to run auto-updates in the background and grants Zoom “superuser” privileges. A superuser is a “root account” on a mac that has access to do whatever it wants to the system.
When an update is rolled out by Zoom, the program checks if the new software has been “signed” cryptographically by the company – but an issue with the updater function’s checking rules has meant that any file with Zoom’s signing certificate as its name will be green-lighted for installation.
According to Wardle, a hacker could easily deceive the Zoom application via the use of that signing certificate and orchestrate a “privilege escalation attack”, whereby a hacker uses a lower-level account to subsequently gain access to an account with system-level privileges.
Zoom’s Sluggish Response
On the surface, you may think a hacking conference is an odd place to first disclose such a big security flaw in such a popular piece of software. But Wardle had actually informed Zoom of this bug back in December 2021, and then presented his research eight months later.
The web conferencing company did deploy a fix when Wardle shared his findings, but all it did was make the exploit harder to achieve.
A second attempt to close the vulnerability was successful, but a subsequent “error” left the vulnerability exploitable once more.
So, along with the research already disclosed to Zoom, Wardle disclosed a new bug – that's reportedly still live – during the Def Con event.
Apparently it's quite easy to fix, Wardle claims, and Zoom is working “diligently” to address the issue, the company said. The most recent Zoom update should still be installed in line with the app's security bulletin post.
This isn't the first time that Zoom has left a lot to be desired when it comes to security. Most famously, in March 2020, Zoom wrongly claimed meetings between participants were end-to-end encrypted.
However, the data was only encrypted between each meeting participant's device and Zoom’s servers – which isn't actually end-to-end encryption, and theoretically meant an individual with access to Zoom's servers could access the audio and video content of meetings. End-to-end encryption was eventually rolled out several months later, in October 2020.
Update Your Zoom App Now
As mentioned above, Zoom has now added the initial patch to its security bulletin portal and advised users to update their applications.
“The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.5 contains a vulnerability in the auto-update process” the latest bulletin reads.
“Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download”.
Whenever you hear about a security vulnerability relating to any software or operating system you use, the first thing you should always do is update it immediately, with a fresh download directly from the manufacturer's official website.
Hopefully, Zoom will have patched the newly-found vulnerability shortly – so keep an eye out for another update.