Zoom’s auto-update option ensures users have the latest and most secure version of video conferencing software that has suffered multiple privacy and security issues over the years. But a Mac security researcher reported that the vulnerabilities he found in the tool could be used by attackers to take full control of the victim’s computer at this year’s DefCon. Patrick Wardle cited two vulnerabilities during the conference, Wired reported. The first of these vulnerabilities was in the signature check of the app, which confirms the integrity of the installed update and examines it to make sure it’s a new version of Zoom. In other words, it was a feature responsible for preventing attackers from downloading an older and more vulnerable version of the application by tricking the automatic update installer.
Wardle discovered that attackers could bypass the signature check by naming the malware files a certain way. Attackers can then gain root access and control the victim’s Mac. The Verge says that Wardle reported the bug to Zoom in December 2021, but the fix offered contains another bug.
This second vulnerability may have given attackers a different way to circumvent Zoom protection, which is applied to ensure that an update offers the latest version of the app. Wardle has reportedly been able to accept an older version of its video conferencing software by tricking a tool that simplifies Zoom’s update distribution.
Zoom has now fixed this bug, but Wardle found another vulnerability that he also presented at the conference. He discovered that there was a time period between the automatic installer validating a software package and the actual installation process, which would allow an attacker to add malicious code to the update. A package downloaded for installation is apparently able to allow any user to make changes while keeping the original read-write permissions. This means that even non-root users can modify its contents with malicious code and take control of the target device.
The company told The Verge that it is working on a patch for the new vulnerability Wardle disclosed. But as Wired points out, attackers must have existing access to a user’s device in order to exploit these flaws. Even if it is not an immediate danger to most people, Zoom advises users to follow the updates to the latest version of the application.