from the why-are-you-using-zoom-spyware-anyway? dept.
The Zoom installer let a researcher hack his way to root access on macOS:
A security researcher has found a way that an attacker could leverage the macOS version of Zoom to gain access over the entire operating system.
[...] The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.
When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom's signing certificate would be enough to pass the test — so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.
[...] "To me that was kind of problematic [Zoom not responding to his disclosure for 8 months] because not only did I report the bugs to Zoom, I also reported mistakes and how to fix the code," Wardle told The Verge in a call before the talk. "So it was really frustrating to wait, what, six, seven, eight months, knowing that all Mac versions of Zoom were sitting on users' computers vulnerable."
Update Zoom for Mac Now to Avoid Root-access Vulnerability:
If you're using Zoom on a Mac, it's time for a manual update. The video conferencing software's latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers, granting escalated privileges and control of the system.
The vulnerability was first discovered by Patrick Wardle, founder of the Objective-See Foundation, a nonprofit Mac OS security group. Wardle detailed in a talk at Def Con last week how Zoom's installer asks for a user password when installing or uninstalling, but its auto-update function, enabled by default, doesn't need one. Wardle found that Zoom's updater is owned by and runs as the root user.
It seemed secure, as only Zoom clients could connect to the privileged daemon, and only packages signed by Zoom could be extracted. The problem is that by simply passing the verification checker the name of the package it was looking for ("Zoom Video ... Certification Authority Apple Root CA.pkg"), this check could be bypassed. That meant malicious actors could force Zoom to downgrade to a buggier, less-secure version or even pass it an entirely different package that could give them root access to the system.
Wardle disclosed his findings to Zoom before his talk, and some aspects of the vulnerability were addressed, but key root access was still available as of Wardle's talk on Saturday. Zoom issued a security bulletin later that same day, and a patch for version Zoom 5.11.5 (9788) followed soon after. You can download the update directly from Zoom or click on your menu bar options to "Check for updates." We wouldn't suggest waiting for an automatic update, for multiple reasons.
(Score: 2) by Mykl on Tuesday August 16 2022, @10:56PM (2 children)
I remember reading an article a few months into the COVID Pandemic about the meteoric rise of Zoom (if you didn't know, the company was founded by a few guys who split from the WebEx team at Cisco). The article spent some time talking about how the company decided to go for rapid growth first, then worried about things like security later. None of their security mechanisms are part of the original design - they've been slapped on later as demanded.
Pretty surprising that such a significant vulnerability was ignored for so long after being reported though.
(Score: 0) by Anonymous Coward on Wednesday August 17 2022, @12:23AM
See your post title.
Also note how they issued a security bulletin on the day that Wardle gave his talk?
(Score: 0) by Anonymous Coward on Wednesday August 17 2022, @01:07AM
Some of my customers insist on Zooming. I run the "in browser window" option, in the (perhaps futile) hope that it improves my security a little bit.
Of course the browser that I use is Chrome on Win7, so maybe I'm screwed anyway, oh well. At least they aren't getting my picture, there is tape over my laptop camera.
(Score: 2) by progo on Wednesday August 17 2022, @02:26PM (1 child)
I stopped using MacOS a long time ago so I'm confused by what's going on.
Zoom is a service whose client fits comfortably inside a web page. Therefore their native app doesn't need any more permissions than a web browser. Installing unprivileged apps on MacOS USED to be a simple matter of copying a folder to the Applications folder. Why does a Zoom updater need root?
(Score: 0) by Anonymous Coward on Wednesday August 17 2022, @06:11PM
Maybe it is because their native app can get access to the camera and microphone?