Zoom has patched an exploit in its Mac app, fixing a vulnerability in its automatic updating function that could grant macOS root privileges to an attacker.
The unpatched vulnerability that allows the exploit was revealed at the Def Con hacking conference on Friday by Patrick Wardle of Objective-See. Zoom released another patch on Saturday to try and kill off the exploit.
Wardle discovered a privilege escalation attack in the Zoom application, specifically one that takes advantage of the installer for Zoom itself. Once a user entered their password for the first installation of Zoom on their Mac, the auto-updater continues to use superuser privileges.
The Verge reports:
When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test — so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.
Wardle told Zoom in December but then noticed that an initial fix contained another bug that continued to make the vulnerability exploitable. Wardle then told Zoom about the second bug.
On August 13, Zoom released another patch for its macOS client, again targeting the same vulnerability.
For more information, visit the Zoom security bulletin page.