Communications company Zoom has released a patch to address a flaw that allowed threat actors to control a victim’s operating system on macOS.
The Zoom client has limited permissions as far as access to critical system files is concerned. However, once installed the Zoom auto-update function would run in the background continuously, with superuser privileges.
RELATED RESOURCE
Adding value to Microsoft Teams beyond voice connectivity
How AudioCodes can understand your broader business communication needs and fill in the gaps
In normal circumstances, this would simply check for updates from Zoom to install. Upon receiving one, the Zoom updater would run a process to verify that the update bore a cryptographic signature from the company, and was, therefore, a legitimate file to run.
Objective-See founder Patrick Wardle discovered that any file, renamed with Zoom’s cryptographic certificate, would be accepted by the updater as a legitimate Zoom file. As a result, threat actors could use the Zoom updater to run any file as a superuser.
As a result of the flaw, Zoom for macOS had unwittingly become a launchpad for privilege escalation attacks, in which a threat actor with limited access to a victim’s machine uses an exploit to gain elevated privileges that give them greater control. In the case of the Zoom flaw, threat actors could use the updater to delete or amend key system files, with the superuser privilege granting almost unlimited access to the machines of victims.
An update, released on August 13 by Zoom, has now appeared to have fixed the problem. On its security bulletin, the company identified the issue being fixed as “a vulnerability in the auto-update process".
“We released an update to address the newly reported vulnerability for the macOS auto updater in the Zoom Client for Meetings for macOS version 5.11.5 and are evaluating additional security enhancements,” said a Zoom spokesperson, in a statement to IT Pro.
This is not the first flaw found with Zoom's macOS app, with an update released earlier this year addressing an issue in which the microphones of users continued to be accessed by the Zoom client even after a meeting had ended.
Wardle exposed the flaw publicly during his talk ‘"You're M̶u̶t̶e̶d̶ Rooted’ at the Def Con hacking conference on August 12, stating that he had made the company aware of it through the proper channels as far back as December 2021.
In the months that followed, the company was reportedly slow to act. On August 9, a patch designated CVE-2022-28751 was released, but Wardle found that the exploit was still achievable after the patch through an unspecified extra step.
Since the update, Wardle has voiced his approval on Twitter, stating “Mahalos to @Zoom for the (incredibly) quick fix!”. He also detailed the key change that the update brings, namely that the Zoom installer now invokes a function called lchown to modify the update file’s permissions, rather than the updater running at constant superuser privilege.
This article was updated to include a statement from Zoom.
-
Lenovo Idea Tab Plus reviewReviews Low specs and a terrible stylus weigh Lenovo's Idea Tab Plus down – but it has a bright screen and decent battery life
-
Gender diversity improvements could be the key to tackling the UK's AI skills shortageNews Encouraging more women to pursue tech careers could plug huge gaps in the AI workforce
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
