Zoom Fixes Mac Security Bug… Until Someone Discovers The Next Security Bug

Yesterday I spoke of a flaw in Zoom’s update process on the Mac:

During his talk at DefCon, though, [Patrick] Wardle announced another Mac vulnerability he discovered in the installer itself. Zoom now conducts its signature check securely, and the company plugged the downgrade attack opportunity. But Wardle noticed that there is a moment after the installer verifies the software package—but before the package installs it—when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has. Under normal circumstances, an attacker would be able to grab this opportunity only when a user is installing a Zoom update anyway, but Wardle found a way to trick Zoom into reinstalling its own current version. The attacker can then have as many opportunities as they want to attempt to insert their malicious code and gain the Zoom automatic update installer’s root access to the victim device.

Over the last 24 hours, Zoom has rolled out a fix for this. Version 5.11.5 of its Mac app is now available and you should go download this now to fix this issue. And the guy who found this issue, Patrick Wardle has effectively given this fix his stamp of approval:

So while Zoom was able to fix this quickly, I have to say that this is simply the latest security flaw that has been found in their app. Over the years I have covered flaw after flaw with Zoom. And then there’s the part about them lying about end to end encryption and getting caught doing so. What that says to me that their security processes are at best sketchy. If Zoom really want to shake their past daemons of playing fast and loose with security, then they need to make sure that stuff like this are edge cases and not common occurrences. But for now, this issue is closed. But rest assured they’ll be another one as I guarantee you that a lot of people are looking at their code looking for exploits. And not all of them will be like Patrick Wardle and tell them about what they find.

Leave a Reply