Zoom’s auto-update option can help users ensure they have the latest and most secure version of the video conferencing software, which has had several privacy and security issues over the years. A Mac security researcher, however, has reported vulnerabilities he found in the tool that attackers could have exploited to gain full control of a victim’s computer at this year’s DefCon. According to Wired, Patrick Wardle presented two vulnerabilities during the conference. He found the first in the app’s signature check, which certifies the integrity of the update being installed and examines it to make sure it’s a new version of Zoom. In other words, it is responsible for blocking attackers from tricking the auto-update installer into downloading an older and vulnerable version of the application.
Wardle discovered that attackers could bypass the signature check by naming their malware file a certain way. And once they’re there, they could gain root access and control the victim’s Mac. The Verge says Wardle disclosed the bug to Zoom in December 2021, but the fix he implemented contained another bug. This second vulnerability could have given attackers a way to bypass the safeguard Zoom put in place to ensure that an update delivers the latest version of the app. Wardle found that it is possible to trick a tool that facilitates the distribution of Zoom updates into accepting an older version of the video conferencing software.
Zoom fixed that flaw as well, but Wardle found another vulnerability, which he also presented at the conference. He discovered that there is a point in time between the automatic installer’s verification of a software package and the actual installation process that allows an attacker to inject malicious code into the update. A downloaded package intended for installation can apparently retain its original read and write permissions allowing any user to modify it. This means that even non-root users could exchange its content with malicious code and gain control of the target computer.
The company told The Verge that it is now working on a patch for the new vulnerability that Wardle disclosed. As Wired points out, however, attackers must have existing access to a user’s device in order to exploit these flaws. Even if there’s no immediate danger to most people, Zoom advises users to “keep up to date with the latest version” of the app whenever it’s released.