Zoom installer for macOS has security flaw granting elevated system privileges


The macOS version of Zoom, specifically its installer, exposes Apple computers and laptops to a serious security vulnerability. If exploited correctly, the bug that exists in the configuration of the Zoom application can grant an attacker complete control of a Mac PC. Worryingly, Zoom attempted to fix the configuration, but was not completely successful in fixing the flaw.

Mac security expert Patrick Wardle commented on the security flaw at the Def Con hacking conference in Las Vegas on Friday. While Zoom fixed some of the bugs, Wardle was able to successfully prove an unpatched vulnerability that still affects macOS.

Interestingly, Apple requires a user or owner installing software to enter their login password. However, Wardle discovered an automatic update feature, which he was able to keep running in the background with superuser privileges.

A potential attacker is able to execute the vulnerability simply because the Zoom installer must run with special user permissions. The special case exists when installing and removing the Zoom application on a computer running macOS.

During each installation process, the update function checks whether the installer has been cryptographically signed by Zoom. However, a bug in the verification method granted elevated privileges to any file with the same name as Zoom’s signing certificate.

Simply put, an attacker could potentially execute any type of malware. This is a privilege escalation attack, and it usually starts inside an account that has restricted system-level access. The Zoom installer bug essentially granted an attacker “SuperUser” or “ROOT” access.

Wardle is the founder of the Objective-See Foundation. He followed proper disclosure protocols while alerting Zoom to the bug. Wardle even offered a way to fix the flaw. It was in December 2021.

According to Wardle, Zoom fixed the flaw a few weeks before the Def Con event. However, the bug was still exploitable. Although Zoom has changed how the installer works, an attacker can still add, delete, or modify files far beyond the access level of an ordinary account.

Source: The Edge


Comments are closed.