Yesterday I spoke of a flaw in Zoom’s update process on the Mac:
During his talk at DefCon, though, [Patrick] Wardle announced another Mac vulnerability he discovered in the installer itself. Zoom now conducts its signature check securely, and the company plugged the downgrade attack opportunity. But Wardle noticed that there is a moment after the installer verifies the software package—but before the package installs it—when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has. Under normal circumstances, an attacker would be able to grab this opportunity only when a user is installing a Zoom update anyway, but Wardle found a way to trick Zoom into reinstalling its own current version. The attacker can then have as many opportunities as they want to attempt to insert their malicious code and gain the Zoom automatic update installer’s root access to the victim device.
Over the last 24 hours, Zoom has rolled out a fix for this. Version 5.11.5 of its Mac app is now available and you should go download this now to fix this issue. And the guy who found this issue, Patrick Wardle has effectively given this fix his stamp of approval:
So while Zoom was able to fix this quickly, I have to say that this is simply the latest security flaw that has been found in their app. Over the years I have covered flaw after flaw with Zoom. And then there’s the part about them lying about end to end encryption and getting caught doing so. What that says to me that their security processes are at best sketchy. If Zoom really want to shake their past daemons of playing fast and loose with security, then they need to make sure that stuff like this are edge cases and not common occurrences. But for now, this issue is closed. But rest assured they’ll be another one as I guarantee you that a lot of people are looking at their code looking for exploits. And not all of them will be like Patrick Wardle and tell them about what they find.
A Highly Dangerous Zoom #Phishing Email Is Making The Rounds
Posted in Commentary with tags Zoom on February 28, 2023 by itnerdSince the start of the pandemic, Zoom has exploded in popularity as a means to communicate. But threat actors are latching onto that to advance their goals. Take this email for example:
It looks well crafted and seems like something that could come from Zoom. But look closer and you’ll see that it isn’t from Zoom. Starting with this:
This isn’t a Zoom email address as Zoom uses zoom.us as their domain. So right out of the gate, this is a red flag. Now I will say that unlike most phishing scams that I come across, the English in this email is decent. I guess threat actors are finally learning that their English needs to be on point if they have any hope of scamming someone. But what hasn’t changed is a call to action to get you to do what they want. Specifically this:
Please take note that your account will continue to be inactive until you install the security app. We’re sorry for any inconvenience this may cause.
If you think that you can’t use Zoom until you install this “Security App”, then you’re more likely to click on “Install Security App”. Which by the way you should not click on that. But because I am a trained professional, I did. And here’s what I got:
Now I have to admit that the threat actors spent a lot of time and effort making this look just like something that Zoom would do. But a closer look shows that this isn’t a Zoom web page:
Again, Zoom’s domain for web and email is Zoom.us. Thus this is another red flag. And to reinforce the fact that they want you to do what the threat actors want, there’s this:
This makes me think that this scam is aimed at companies who use Zoom rather than individuals as those are all features that companies use. Also, you’ll notice that the quality of the English falls apart here.
I’m pretty sure that if you click download, you’ll get some malware. Let’s find out by taking a Windows 11 virtual machine and trying to install it just for giggles. I recorded the install process for you to view.
Now I did compare this to the real Zoom installer and the install process is identical. The only thing that jumps out at me is the version number, which is version 5.13.5 (12053). The latest version that I am aware of for Windows is 5.13.10 (13305) which makes this slightly older. I also noted that Microsoft Defender didn’t stop this. I also ran this by VirusTotal and it didn’t flag this as suspicious either. That implies that this is a novel attack of some sort which makes this extremely dangerous. I am going to investigate this further and I will update you with my findings. But in the meantime, I have reached out to Zoom and submitted all of this information so that they can put an end to this. But until they do, I would not only watch out for this threat if it hits your inbox, I would send this out far and wide to make sure nobody gets hit with this as clearly this threat is dangerous.
UPDATE: You can read my analysis of this threat here.
1 Comment »