Zoom installer flaw can give attackers root access to your Mac

Posted:
in General Discussion edited August 2022
A security researcher has discovered a flaw in Zoom on macOS that could allow attackers to gain root access and control the entire operating system -- and the issue has yet to be fully fixed.

Malware
Malware


Patrick Wardle, a veteran security researcher who formerly worked for the NSA, shared his findings in a presentation at the Defcon conference in Las Vegas on Friday, according to The Verge.

The attack works by leveraging the Zoom for macOS installer, which requires special user permissions to be able to install or uninstall Zoom from a Mac. More specifically, Wardle discovered that the installer has an auto-update function that continues to run in the background with elevated privileges.

Whenever Zoom issued an update to its video conferencing platform, the auto-updater would install the update after checking that it was legitimate. However, a flaw in the cryptographic verification method meant that an attacker could trick the updater into thinking a malicious file was signed by Zoom.

Since the updater runs with superuser privileges, Wardle found that an attacker could run any program through the update function -- and gain those privileges. And, Zoom let the flaw exist for months.

"To me that was kind of problematic because not only did I report the bugs to Zoom, I also reported mistakes and how to fix the code," Wardle said to The Verge. "So it was really frustrating to wait, what, six, seven, eight months, knowing that all Mac versions of Zoom were sitting on users' computers vulnerable."

As a privilege escalation attack, the flaw could allow attackers to gain "root" or "superuser" privileges on a Mac. In theory, that could allow them to add, remove, or modify any file on the machine.

Although Zoom issued an initial patch a few weeks before the event, Wardle said that the update contained another bug that could have allowed attackers to continue exploiting the flaw.

He soon disclosed the second bug and waited eight months to publish his research.

A few months before the Defcon conference in August, Wardle says that Zoom issued another patch that fixed the bugs he initially discovered. However, this latest patch still contains errors that could allow attackers to leverage the flaw.

The second bug is currently still active in the latest update for Zoom. It's apparently easy to fix, so Wardle hopes that talking about it publicly at Defcon will get Zoom to quickly issue a patch.

How to protect yourself

Since the flaw is still present in the latest version of Zoom, the only way to completely mitigate it is to stop using the Zoom installer. You can also go one step further and delete retained installers.

Alternatively, you can also join Zoom meetings from most standard web browsers.

Updated August 13, 8:30 AM ET Removed erroneous references to Zoom version on Mac App Store.

Read on AppleInsider

Comments

  • Reply 1 of 12
    looplessloopless Posts: 341member

    Or just turning off "Automatically keep Zoom desktop client up to date" in your zoom preferences would seem  to address the issue

    watto_cobrakillroywtxnitzAlex1N
  • Reply 2 of 12
    danoxdanox Posts: 3,300member
    Zoom is like Teams a cancerous program with no redeeming value.
    watto_cobrawilliamlondonkillroy
  • Reply 3 of 12
    StrangeDaysStrangeDays Posts: 13,068member
    Auto-installers yet again proving themselves to be a bad idea. Google’s chrome background process hosed Macbooks. Why do these guys keep doing this?
    PetrolDavekillroyAlex1N
  • Reply 4 of 12
    danox said:
    Zoom is like Teams a cancerous program with no redeeming value.
    Completely disagree. Used it extensively for the past two years. When it came out there was nothing like it on the market. We’re using it with over 100 connections. It has plenty of redeeming value. Maybe not for you but news flash, you’re not everyone.
    edited August 2022 avon b7MplsPmaltzfahlmanwilliamlondonAlex1N
  • Reply 5 of 12
    What is the auto updater Process Name? Then maybe I could kill it in Activity Monitor.

    I don't see anything that looks to be associated with Zoom running on my computer, but I have not used Zoom since the last restart.
    MplsPkillroy
  • Reply 6 of 12
    danox said:
    Zoom is like Teams a cancerous program with no redeeming value.
    You misspelled TikTok and Facebook. ;)
    MplsPh4y3sbonobobkillroynetlingAlex1N
  • Reply 7 of 12
    MplsPMplsP Posts: 4,007member
    WilliamM said:
    What is the auto updater Process Name? Then maybe I could kill it in Activity Monitor.

    I don't see anything that looks to be associated with Zoom running on my computer, but I have not used Zoom since the last restart.
    This - my first step would be to kill the auto updater process. That should theoretically fix the problem.
    killroy
  • Reply 8 of 12
    crowleycrowley Posts: 10,453member
    Another day, another Zoom security balls up.
    Alex1N
  • Reply 9 of 12
    maltzmaltz Posts: 490member
    "Since the flaw is still present in the latest version of Zoom, the only way to completely mitigate it is to stop using the Zoom installer."

    That make no sense - I stop using the installer after I've installed the program.  Can we get some clearer instruction on this?

    Alex1N
  • Reply 10 of 12
    macxpressmacxpress Posts: 5,922member
    Zoom is an insecure turd of an application. Exactly why this is not approved to be used at work. 
    williamlondonkillroyAlex1N
  • Reply 11 of 12
    maltz said:

    That make no sense - I stop using the installer after I've installed the program.  Can we get some clearer instruction on this?

    You raise an excellent point.  The simple answer is that you must disable the updater (as opposed to 'installer').  In the future, if you want to preserve the security of your Mac, your process should be something like this:

    1) Is the software available in the App Store?

    If the answer is yes, then good.  This means there's no installer, no updater, nothing that lives outside of a sandbox*.  And no matter how cursory an inspection, you know that someone has taken a look at it.

    2) No App Store, so the next question is 'does this software come with an installer?'

    If the answer is no, but the software is signed/notarized by Apple, then good.  The software is just a program, good or bad.  It might not be able to run in a sandbox, but it's not obviously noteworthy.

    3) This software comes with an installer.  This means it needs to do something unusual under the covers.  You should be questioning whether you really, really, need this program.   It's almost inevitable that it's going directly to question 4, which is:

    4) Does the installer want Admin/Root access?

    Full stop.  Close the the installer, take a breath.  You have to ask yourself if this software is absolutely necessary.  If it is, you must run something like Suspicious Package ( https://www.mothersruin.com/software/SuspiciousPackage ) and try and figure out what is going on.  In the case of something like Chrome or Zoom you'll see that the installer is installing extra stuff that you don't want.  Walk away.  In my case I still needed to use Zoom so I used my iPad.

    * I've lost count of the number of App Store developers who play bait-and-switch claiming that App Store restrictions prevent this feature or that and wouldn't I rather download the version from their website - and they're lying through their teeth.  When you point out that *other* App Store programs have no problem doing this or that, they'll say 'ok, that will be fixed in our next release'.

    DogpersonAlex1N
  • Reply 12 of 12
    digitoldigitol Posts: 276member
    Zoom has come from a long line of shady practices and dev. This is hardly surprising news. Funny that zoom was provided turn key fixed yet the flaw remains. A mere repeated “accident” 3,4 times, or perhaps the security hole/exploit has been left open on purpose. 
    Alex1N
Sign In or Register to comment.