It’s time for a manual update if you use Zoom on a Mac. The most recent version to the video conferencing software closes a bug in the auto-update feature that may have given malicious apps elevated installation privileges and system control.
Patrick Wardle, the creator of the Objective-See Foundation and a nonprofit organization dedicated to Mac OS security, was the first to identify the flaw. Last week, Wardle explained in a session at Def Con how Zoom’s installer requests a user password when installing or uninstalling but does not require one for its auto-update function, which is turned on by default. Wardle discovered that the root user owns and controls Zoom’s updater.
Only Zoom clients could access the privileged daemon, and only Zoom-signed packages could be extracted, thus it appeared secure. The issue is that this check might be circumvented by simply giving the verification checker the name of the package it was looking for (“Zoom Video… Certification Authority Apple Root CA.pkg“). Because of this, malevolent actors might compel Zoom to downgrade to a buggy, less secure version or even send it a completely different package that would grant them root access to the machine.
Prior to his discussion, Wardle informed Zoom of his discoveries, and while certain portions of the vulnerability were patched, key root access remained accessible as of Wardle’s presentation on Saturday. Later on, that day, Zoom released a security bulletin, and shortly after that, Zoom 5.11.5 (9788) received a fix. You can either select “Check for updates” in your menu bar or directly download the update from Zoom. For a number of reasons, we wouldn’t advise waiting for an automated update. (Update: Timing of update and Wardle’s revelation was made clear.)
Zoom’s software security history is patchy—and occasionally outright unsettling. After acknowledging that it had deceived the FTC for years about providing end-to-end encryption, the firm reached a settlement with them in 2020. Wardle previously disclosed a Zoom flaw that permitted hackers to obtain Windows login information by sending a text message. Before that, Zoom was discovered to be operating a full undocumented web server on Macs, which prompted Apple to release its own quiet update to terminate the server.
A Zoom issue from May of last year employed a comparable downgrade and signature-check bypass to enable zero-click remote code execution. Dan Goodin of Ars observed that his Zoom client did not automatically upgrade when the remedy for that problem was made available; instead, a manual download of an interim version was necessary. If Zoom users aren’t immediately updated, hackers may be able to quickly exploit revealed Zoom vulnerabilities, according to Goodin. Of course, without root access.