Zoom’s Auto-Update Feature Came With Hidden Risks on Mac

As you rush to join a meeting you're already late for, and you're hit with a prompt to download updates, many of you have been there. You can enroll in the automatic update feature if something happens to you.

The feature helps users keep up with software patches and was launched in November 2021. When you grant zoom permission to install patches, you don't need to enter your system password again. It's easy. Patrick Wardle wondered if it was too easy after he noticed it.

At the DefCon security conference in Las Vegas today, Wardle presented two vulnerabilities he discovered in the automatic update feature. For an attacker who already had access to a target Mac, the vulnerabilities could have been chained and exploited to grant the attacker complete control of the machine. On Friday, Wardle announced to the audience that there was an additional vulnerability that he hadn't disclosed to Zoom.

I wanted to know how they were setting this up. Wardle told WIRED that it seemed like they were doing things securely when he looked at them. The quality of the code was more suspect when I looked closer.

Wardle says that a standard macOS tool is used in development to install updates after the user enters their password. The mechanism was set up so that only the zoom application could speak to the helpers. No one else would be able to mess with things. The feature was set up to run a signature check to confirm the integrity of the updates being delivered, and it was specifically checked to make sure that the software was a new version of zoom.

The first vulnerability was in the signature check. The check is a sort of wax seal to confirm the integrity of the software. From past research and his own software development, Wardle knows that it can be difficult to truly verify signatures in the types of conditions Zoom had set up. He realized that there was a chance that the check would be defeated. Imagine that you carefully sign a legal document and then put the piece of paper face down on a table next to a birthday card for your sister. The signature check was basically looking at everything on the table and accepting the random birthday card signature instead of checking to see if the signature was in the right place. Wardle was able to change the name of the software he was attempting to sneak through to get the malicious package past the signature check.