Zoom Is In Trouble Again…. This Time They Have Security Issues With Their Update Process For Mac

Zoom seems to be a company that can’t stay out of trouble. This time well known security researcher Patrick Wardle has disclosed a trio of vulnerabilities in Zoom’s update process. Two have been patched, but one is unpatched and Wired has the details:

During his talk at DefCon, though, Wardle announced another Mac vulnerability he discovered in the installer itself. Zoom now conducts its signature check securely, and the company plugged the downgrade attack opportunity. But Wardle noticed that there is a moment after the installer verifies the software package—but before the package installs it—when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has. Under normal circumstances, an attacker would be able to grab this opportunity only when a user is installing a Zoom update anyway, but Wardle found a way to trick Zoom into reinstalling its own current version. The attacker can then have as many opportunities as they want to attempt to insert their malicious code and gain the Zoom automatic update installer’s root access to the victim device.

“The main reason I looked at this is that Zoom is running on my own computer,” Wardle says. “There’s always a potential tradeoff between usability and security, and it’s important for users to install updates for sure. But if it’s opening this broad attack surface that could be exploited, that’s less than ideal.”

To exploit any of these flaws, an attacker would need to already have an initial foothold in a target’s device, so you’re not in imminent danger of having your Zoom remotely attacked. But Wardle’s findings are an important reminder to keep updating—automatically or not.

The bigger problem with this is that yet again, Zoom has been caught with its pants down so to speak. They keep having security issue after security issue to the point where I wonder if they are playing “whack a mole” when it comes to fixing issues with their applications. At this point one has to wonder if the company takes security seriously or not. Having said that, be sure to update when a fix for this latest security issue appears.

One Response to “Zoom Is In Trouble Again…. This Time They Have Security Issues With Their Update Process For Mac”

  1. […] I spoke of a flaw in Zoom’s update process on the […]

Leave a Reply