Zoom updates macOS installer to remove malware-like exploits

Posted:
in General Discussion
Video conferencing app Zoom has updated its macOS installer, removing the installation process that was described as "shady" that it had recently been criticized for.




Zoom has been under intense scrutiny for its shady installation process, which utilizes similar workarounds that are often used by macOS malware.

The Zoom app was able to be installed on a Mac without a user's final consent, as discovered by software engineer Felix Seele.

Ever wondered how the @zoom_us macOS installer does it's job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M

-- Felix (@c1truz_)


Zoom's CEO responded, saying that the installer was meant to simplify the process, as many new users may not be able to join a meeting without the exploits quickly. The company made note that since the outbreak of the COVID-19 pandemic, they ballooned from 10 million daily users to over 200 million daily users.

Despite the company's reasoning, public backlash was intense. On Thursday, Zoom issued a new update, replacing the "shady" installer with a more traditional one.

"They completely removed the preinstall stuff, so you now need to click through the installer as it ought to be," explains Seele in a message to The Verge. The fake prompt has also been removed so users have to specifically click through and install Zoom. "I must say that I am impressed," says Seele. "I expected them to maybe change the dialog, but since the 'zero-click' aspect was so important to them, I thought they would stick with the preinstall-trick."

The company has said they will undergo a 90-day feature and development freeze to work on security issues and fix existing problems.

The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.

Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.

Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.

On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.

In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.

Comments

  • Reply 1 of 16
    coolfactorcoolfactor Posts: 2,239member
    This is a pivotal moment for Zoom to get it right, so glad that they are taking the high road. I hold any developer accountable that doesn't follow Mac standards. Adobe is one of the biggest violators of this, still to this day!
    OferMplsPelijahgflyingdpcaladanianols
  • Reply 2 of 16
    Given its history, I don't believe a word Zoom says. They clearly are in the business of slurping and monetising client data. They always come with fixes for the stuff they got caught out on, but what other crap is left lurking below their surface?
    Scot1rob53agilealtitudeelijahgDAalsethAndy.Hardwakemacseekerchasmsvanstrommagman1979
  • Reply 3 of 16
    laytechlaytech Posts: 335member
    And Governments (UK) in particular are using this software for conferencing. Scary. A sure fire way to easily listen in.
    olswatto_cobra
  • Reply 4 of 16
    MplsPMplsP Posts: 3,911member
    good for zoom for moving to fix things. Now Apple needs to fix the hole that allowed the install in the first place

    I have zoom installed on my computer because it's required for work and I was a bit confused at how it installed without any permissions. Now I know why.
    caladanian
  • Reply 5 of 16
    Too little, too late. The company sounds like a bunch of unprofessional hacks.
    pujones1DAalsethAndy.Hardwakemacseekerolswatto_cobra
  • Reply 6 of 16
    pujones1pujones1 Posts: 222member
    Given its history, I don't believe a word Zoom says. They clearly are in the business of slurping and monetising client data. They always come with fixes for the stuff they got caught out on, but what other crap is left lurking below their surface?
    I’m with you. They had to pay the bills and make money somehow right? Might as well slurp the product (those who use Zoom). 

    So does that mean that it doesn’t do the root thing? 
    revenantwatto_cobra
  • Reply 7 of 16
    To Zoom’s Credit actually getting people into a meeting can be extremely challenging and having something that you click once and run increases adoption because people can actually get into the meeting without jumping through hoops.

    Nothing like installing a plugin, Entering the meeting code, creating an account, allowing the Microphone, allowing the Camera....after all that you lost half of your meetings participants.

    Zoom had a simple, easy to use way to join meetings.
    edited April 2020
  • Reply 8 of 16
    Phobos7Phobos7 Posts: 63member
    Good on Zoom, those pesky little hackers upset a lot of meetings in my area.
  • Reply 9 of 16
    seanismorrisseanismorris Posts: 1,624member
    I’d never used Zoom, but I give them credit for moving in the right direction.

    Hopefully they prioritize security in the future.


  • Reply 10 of 16
    lowededwookielowededwookie Posts: 1,143member
    MplsP said:
    good for zoom for moving to fix things. Now Apple needs to fix the hole that allowed the install in the first place

    I have zoom installed on my computer because it's required for work and I was a bit confused at how it installed without any permissions. Now I know why.
    They did. It was mentioned about two Zoom articles ago.

    So here's the thing that the negative nellies need to get into their heads. This all blew up last Thursday. It is now Friday a week on (NZ time). In that time Zoom has acknowledged issues, created two patches, and performed a feature freeze until the current issues are fixed.

    Please explain to me how a small company has performed this when Adobe, Microsoft, Facebook, Google, and a slew of others, including Apple, can't do the same and yet the negative nellies are railing on Zoom? It seems to me that these people will NEVER be satisfied so why bother with those oxygen thieves.
  • Reply 11 of 16
    rraburrabu Posts: 264member
    Wish they installed via Mac App Store instead.
    mbenz1962svanstromentropysolsyoyo2222
  • Reply 12 of 16
    chasmchasm Posts: 3,273member
    They've got a LONG LONG way to go before I'll trust them (at one point last year they were still installing a easily hackable with system privileges web server on your machine as part of their install), but oh look intense scrutiny seems to have gotten them to understand that they are sleaze balls with very little time to clean up their act before alternatives (like Cisco's WebEx, or heck Apple itself) eat their lunch.

    I don't like companies that only fix problems when they get caught.
    svanstromwatto_cobra
  • Reply 13 of 16
    Rayz2016Rayz2016 Posts: 6,957member
    MplsP said:
    good for zoom for moving to fix things. Now Apple needs to fix the hole that allowed the install in the first place

    I have zoom installed on my computer because it's required for work and I was a bit confused at how it installed without any permissions. Now I know why.
    Apple allows the preflight scripts because it makes it easier to install low-level development tools that might need to check for the presence of other pieces of software. 

    I’m all for closing it down, but many developers, who don’t abuse the privilege, rely on it, so shutting it won’t be without consequence. 
    caladanianwatto_cobra
  • Reply 14 of 16
    magman1979magman1979 Posts: 1,292member
    Given its history, I don't believe a word Zoom says. They clearly are in the business of slurping and monetising client data. They always come with fixes for the stuff they got caught out on, but what other crap is left lurking below their surface?
    You are very wise not to trust them, especially after this latest relvelation by The Intercept:

    https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to-china-researchers-discover/

    Appears they actually falsify the use AES-256-bit encryption, it's actually 128-bit, and they have links to Beijing, and the encryption keys get generated on Beijing servers even for 100% North American callers on some occasions, meaning the CCP has the power to force them to intercept and decode private data at will.
    DAalsethwatto_cobra
  • Reply 15 of 16
    entropysentropys Posts: 4,152member
    Had to install for my 85 yo father (over teamviewer no less) last night so he could participate in his church group. I was worried after all the bad press and was reassured when the normal install process occurred. This also forced me to install on my own Mac to test it out with him. Wasn’t happy about that I must admit.
    watto_cobra
  • Reply 16 of 16
    DAalsethDAalseth Posts: 2,783member
    entropys said:
    Had to install for my 85 yo father (over teamviewer no less) last night so he could participate in his church group. I was worried after all the bad press and was reassured when the normal install process occurred. This also forced me to install on my own Mac to test it out with him. Wasn’t happy about that I must admit.
    I was thinking about that. If for some reason I had to use Zoom, what would I do? The iOS client is supposed to be better, so that would be a possibility if it was an ongoing need. Frankly if it was a one off I might just set up a quick virtual Windows machine, install it on there, and after the experiment was done nuke the whole thing. 
    watto_cobra
Sign In or Register to comment.