At this year’s DefCon cybersecurity conference, researcher Patrick Wardle revealed two vulnerabilities in Zoom that could allow attackers to gain access to macOS computers. The first is the app’s signature check, which certifies the integrity of the installed update and checks it to make sure it’s a new version of Zoom. The signature is responsible for preventing attackers from forcing the automatic updater to download an older and more vulnerable version of the program.
Wardle discovered that attackers can bypass signature verification by naming their malware file in a specific way. This allowed them to gain root access and control the victim’s Mac. Wordle notified Zoom about the bug back in December 2021, but the company released an update already with a different vulnerability. It could give attackers a way to bypass Zoom’s built-in protections to make sure the update has the latest version of the app. Wardle has reportedly discovered that it is possible to trick the tool that facilitates the distribution of Zoom updates into accepting an older version of the video conferencing software.
Zoom has already patched that bug, but Wardle found another vulnerability, which he also presented at the conference. He discovered that there is a time lag between the automatic installer checking the software package and the actual installation process, which allows an attacker to inject malicious code into the update. A downloaded package intended for installation can apparently retain its original read and write permissions, allowing any user to change it. This means that even non-root users can replace its contents with malicious code and gain control over the target computer.
The company told The Verge that it is currently working on a patch for the new vulnerability that Wardle disclosed. However, as Wired points out, attackers must have existing access to the user’s device to be able to exploit these vulnerabilities. Even though there is no immediate danger to most people, Zoom advises users to “keep up to date” with the app whenever it appears.