If you’re using Zoom on a Mac, it’s time to update manually. The latest video conferencing software update fixes an automatic update vulnerability that could allow malicious programs to use elevated installation privileges, granting elevated privileges and system control. From the report: The vulnerability was first discovered by Patrick Wardle, founder of the Objective-See Foundation, a non-profit Mac OS security group. In a talk at Def Con last week, Wardle detailed how Zoom’s installer asks for a user’s password when installing or uninstalling, but its auto-update feature, which is turned on by default, doesn’t need one. Wardle discovered that the Zoom updater is owned and run by the root user. This seemed secure, as only Zoom clients could connect to the privileged daemon, and only Zoom-signed packets could be extracted. The problem is that by simply passing the verifier the name of the package it was looking for (“Zoom Video … Apple Root CA.pkg”), this check can be bypassed. This meant that attackers could force Zoom to switch to a more buggy, less secure version, or even pass it a completely different package that could give them root access to the system.
Update Zoom for Mac now to avoid the root vulnerability
