A critical vulnerability in Zoom for Mac OS allowed unauthorized users to downgrade Zoom or even gain root access. It has been fixed, and users should update now.
Enlarge / A critical vulnerability in Zoom for Mac OS allowed unauthorized users to downgrade Zoom or even gain root access. It has been fixed, and users should update now.

It's time for a manual update if you're using the program on a mac. The video conferencing software's latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers.

Patrick Wardle was the first to discover the vulnerability. The auto-update function, which is enabled by default, doesn't need a user password if you install or uninstall it. The updater is owned and operated by the root user.

The gist of how Zoom's auto-update utility allows for privilege escalation exploits, from Patrick Wardle's Def Con talk.
Enlarge / The gist of how Zoom's auto-update utility allows for privilege escalation exploits, from Patrick Wardle's Def Con talk.

Only Zoom clients were able to connect to the privileged daemon and only packages signed by them could be downloaded. The problem is that by simply giving the verification checker the name of the package it was looking for. This check can be bypassed by the certification authority. If malicious actors were able to get root access to the system, they would be able to force Zoom to change to a buggier, less secure version.

Advertisement

Key root access was still available as of Wardle's talk on Saturday, despite the fact that some aspects of the vulnerability were addressed. After the security bulletin was issued, a patch was released for version 5.11.5. Clicking on your menu bar options will allow you to check for updates. We don't recommend waiting for an automatic update. Clarified Wardle's disclosure and timing have been updated.

At times, Zoom's software security record is frightening. The company admitted in 2020 that they lied for years about end-to-end encryption. Attackers can steal Windows credentials by sending a string of text, according to Wardle. Apple issued a silent update to kill the server after it was caught running an entire undocumented web server.

A flaw that allowed a zero-click remote code execution was used last May. When the fix for the issue arrived, a manual download of an intermediate version was required before the client could be updated. Goodin noted that a hacker can take advantage of exposed vulnerabilities quickly. The root access needs to be Minus.