The latest, safest version of the video conferencing software has had a number of privacy and security issues over the years. A Mac security researcher has found vulnerabilities in a tool that could have been used to take control of a victim's computer at the DefCon. Patrick Wardle gave two vulnerabilities at the conference. It is in charge of blocking attackers from tricking the automatic update installer into installing an older version of the app.
Wardle discovered that attackers could change the name of their file to get away with it. They could control the victim's Mac once they were in. The fix for the bug that was disclosed by Wardle contained another bug. The second vulnerability could have allowed attackers to circumvent the safeguard to make sure an update is delivered. It is possible to trick a tool that facilitates the update distribution into accepting an older version of the video conferencing software, according to Wardle.
At the conference, Wardle presented another vulnerability that was also fixed by zoom. There is a point between the auto-installer's verification of a software package and the actual installation process that allows an attacker to inject malicious code. The original read-write permission of a downloaded package can be retained. It's possible for users without root access to swap its contents with malicious code and take control of the computer.
The company said that it is working on a patch for the vulnerability that Wardle has disclosed. Attackers need to have access to a user's device in order to exploit the flaws. If there's no immediate danger for most people, it's a good idea to keep up with the latest version of the app.