| Title | Zoom Exploit on macOS Can Result in Root Access | |
| Date | Tuesday August 16 2022, @09:31PM | |
| Author | hubie | |
| Topic | ||
| from the why-are-you-using-zoom-spyware-anyway? dept. | ||
The Zoom installer let a researcher hack his way to root access on macOS:
A security researcher has found a way that an attacker could leverage the macOS version of Zoom to gain access over the entire operating system.
[...] The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.
When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom's signing certificate would be enough to pass the test — so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.
[...] "To me that was kind of problematic [Zoom not responding to his disclosure for 8 months] because not only did I report the bugs to Zoom, I also reported mistakes and how to fix the code," Wardle told The Verge in a call before the talk. "So it was really frustrating to wait, what, six, seven, eight months, knowing that all Mac versions of Zoom were sitting on users' computers vulnerable."
Update Zoom for Mac Now to Avoid Root-access Vulnerability:
If you're using Zoom on a Mac, it's time for a manual update. The video conferencing software's latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers, granting escalated privileges and control of the system.
The vulnerability was first discovered by Patrick Wardle, founder of the Objective-See Foundation, a nonprofit Mac OS security group. Wardle detailed in a talk at Def Con last week how Zoom's installer asks for a user password when installing or uninstalling, but its auto-update function, enabled by default, doesn't need one. Wardle found that Zoom's updater is owned by and runs as the root user.
It seemed secure, as only Zoom clients could connect to the privileged daemon, and only packages signed by Zoom could be extracted. The problem is that by simply passing the verification checker the name of the package it was looking for ("Zoom Video ... Certification Authority Apple Root CA.pkg"), this check could be bypassed. That meant malicious actors could force Zoom to downgrade to a buggier, less-secure version or even pass it an entirely different package that could give them root access to the system.
Wardle disclosed his findings to Zoom before his talk, and some aspects of the vulnerability were addressed, but key root access was still available as of Wardle's talk on Saturday. Zoom issued a security bulletin later that same day, and a patch for version Zoom 5.11.5 (9788) followed soon after. You can download the update directly from Zoom or click on your menu bar options to "Check for updates." We wouldn't suggest waiting for an automatic update, for multiple reasons.
Original Submission 1
Original Submission 2
| Links |
printed from SoylentNews, Zoom Exploit on macOS Can Result in Root Access on 2024-04-24 02:00:20