Zoom installer flaw can give attackers root access to your Mac
A security researcher has discovered a flaw in Zoom on macOS that could allow attackers to gain root access and control the entire operating system -- and the issue has yet to be fully fixed.
Malware
Patrick Wardle, a veteran security researcher who formerly worked for the NSA, shared his findings in a presentation at the Defcon conference in Las Vegas on Friday, according to The Verge.
The attack works by leveraging the Zoom for macOS installer, which requires special user permissions to be able to install or uninstall Zoom from a Mac. More specifically, Wardle discovered that the installer has an auto-update function that continues to run in the background with elevated privileges.
Whenever Zoom issued an update to its video conferencing platform, the auto-updater would install the update after checking that it was legitimate. However, a flaw in the cryptographic verification method meant that an attacker could trick the updater into thinking a malicious file was signed by Zoom.
Since the updater runs with superuser privileges, Wardle found that an attacker could run any program through the update function -- and gain those privileges. And, Zoom let the flaw exist for months.
"To me that was kind of problematic because not only did I report the bugs to Zoom, I also reported mistakes and how to fix the code," Wardle said to The Verge. "So it was really frustrating to wait, what, six, seven, eight months, knowing that all Mac versions of Zoom were sitting on users' computers vulnerable."
As a privilege escalation attack, the flaw could allow attackers to gain "root" or "superuser" privileges on a Mac. In theory, that could allow them to add, remove, or modify any file on the machine.
Although Zoom issued an initial patch a few weeks before the event, Wardle said that the update contained another bug that could have allowed attackers to continue exploiting the flaw.
He soon disclosed the second bug and waited eight months to publish his research.
A few months before the Defcon conference in August, Wardle says that Zoom issued another patch that fixed the bugs he initially discovered. However, this latest patch still contains errors that could allow attackers to leverage the flaw.
The second bug is currently still active in the latest update for Zoom. It's apparently easy to fix, so Wardle hopes that talking about it publicly at Defcon will get Zoom to quickly issue a patch.
Alternatively, you can also join Zoom meetings from most standard web browsers.
Updated August 13, 8:30 AM ET Removed erroneous references to Zoom version on Mac App Store.
Read on AppleInsider
Malware
Patrick Wardle, a veteran security researcher who formerly worked for the NSA, shared his findings in a presentation at the Defcon conference in Las Vegas on Friday, according to The Verge.
The attack works by leveraging the Zoom for macOS installer, which requires special user permissions to be able to install or uninstall Zoom from a Mac. More specifically, Wardle discovered that the installer has an auto-update function that continues to run in the background with elevated privileges.
Whenever Zoom issued an update to its video conferencing platform, the auto-updater would install the update after checking that it was legitimate. However, a flaw in the cryptographic verification method meant that an attacker could trick the updater into thinking a malicious file was signed by Zoom.
Since the updater runs with superuser privileges, Wardle found that an attacker could run any program through the update function -- and gain those privileges. And, Zoom let the flaw exist for months.
"To me that was kind of problematic because not only did I report the bugs to Zoom, I also reported mistakes and how to fix the code," Wardle said to The Verge. "So it was really frustrating to wait, what, six, seven, eight months, knowing that all Mac versions of Zoom were sitting on users' computers vulnerable."
As a privilege escalation attack, the flaw could allow attackers to gain "root" or "superuser" privileges on a Mac. In theory, that could allow them to add, remove, or modify any file on the machine.
Although Zoom issued an initial patch a few weeks before the event, Wardle said that the update contained another bug that could have allowed attackers to continue exploiting the flaw.
He soon disclosed the second bug and waited eight months to publish his research.
A few months before the Defcon conference in August, Wardle says that Zoom issued another patch that fixed the bugs he initially discovered. However, this latest patch still contains errors that could allow attackers to leverage the flaw.
The second bug is currently still active in the latest update for Zoom. It's apparently easy to fix, so Wardle hopes that talking about it publicly at Defcon will get Zoom to quickly issue a patch.
How to protect yourself
Since the flaw is still present in the latest version of Zoom, the only way to completely mitigate it is to stop using the Zoom installer. You can also go one step further and delete retained installers.Alternatively, you can also join Zoom meetings from most standard web browsers.
Updated August 13, 8:30 AM ET Removed erroneous references to Zoom version on Mac App Store.
Read on AppleInsider
Comments
Or just turning off "Automatically keep Zoom desktop client up to date" in your zoom preferences would seem to address the issue
I don't see anything that looks to be associated with Zoom running on my computer, but I have not used Zoom since the last restart.
1) Is the software available in the App Store?
If the answer is yes, then good. This means there's no installer, no updater, nothing that lives outside of a sandbox*. And no matter how cursory an inspection, you know that someone has taken a look at it.
2) No App Store, so the next question is 'does this software come with an installer?'
If the answer is no, but the software is signed/notarized by Apple, then good. The software is just a program, good or bad. It might not be able to run in a sandbox, but it's not obviously noteworthy.
3) This software comes with an installer. This means it needs to do something unusual under the covers. You should be questioning whether you really, really, need this program. It's almost inevitable that it's going directly to question 4, which is:
4) Does the installer want Admin/Root access?
Full stop. Close the the installer, take a breath. You have to ask yourself if this software is absolutely necessary. If it is, you must run something like Suspicious Package ( https://www.mothersruin.com/software/SuspiciousPackage ) and try and figure out what is going on. In the case of something like Chrome or Zoom you'll see that the installer is installing extra stuff that you don't want. Walk away. In my case I still needed to use Zoom so I used my iPad.
* I've lost count of the number of App Store developers who play bait-and-switch claiming that App Store restrictions prevent this feature or that and wouldn't I rather download the version from their website - and they're lying through their teeth. When you point out that *other* App Store programs have no problem doing this or that, they'll say 'ok, that will be fixed in our next release'.