Zoom installer flaw can give attackers root access to Mac: Report

A security researcher has found a way that an attacker could leverage the mac OS version of Zoom to gain access over the entire operating system.

Zoom, video chat, conference
Zoom
IANS San Francisco
2 min read Last Updated : Aug 13 2022 | 2:39 PM IST

A security researcher has found a way that an attacker could leverage the macOS version of Zoom to gain access over the entire operating system.

According to The Verge, details of the exploit were released in a presentation by Mac security specialist Patrick Wardle at the Def Con hacking conference in Las Vegas this week.

Zoom has already fixed some of the bugs involved, but the researcher also presented one unpatched vulnerability that still affects systems now.

The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions to install or remove the main Zoom application from a computer.

Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.

When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom.

But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom's signing certificate would be enough to pass the test -- so an attacker could substitute any malware program and have it be run by the updater with elevated privilege, the report said.

The result is a privilege escalation attack, which assumes an attacker has already gained initial access to the target system and then employs an exploit to gain a higher level of access.

In this case, the attacker begins with a restricted user account but escalates into the most powerful user type -- known as a "superuser" or "root" -- allowing them to add, remove, or modify any files on the machine.

--IANS

vc/ksk/

(Only the headline and picture of this report may have been reworked by the Business Standard staff; the rest of the content is auto-generated from a syndicated feed.)

Subscribe to Business Standard digital and get complimentary access to The New York Times

Quarterly Starter

₹900

3 Months

₹300/Month

SAVE 25%

Smart Essential

₹2,700

1 Year

₹225/Month

Save 46%

Super Saver

₹3,900

2 Years

₹162/Month

Subscribe

Renews automatically, cancel anytime

Here’s what’s included in our digital subscription plans

Access to Exclusive Premium Stories Online

  • Over 30 behind the paywall stories daily, handpicked by our editors for subscribers

Complimentary Access to The New York Times

  • News, Games, Cooking, Audio, Wirecutter & The Athletic

Business Standard Epaper

  • Digital replica of our daily newspaper — with options to read, save, and share

Curated Newsletters

  • Insights on markets, finance, politics, tech, and more delivered to your inbox

Market Analysis & Investment Insights

  • In-depth market analysis & insights with access to The Smart Investor

Archives

  • Repository of articles and publications dating back to 1997

Ad-free Reading

  • Uninterrupted reading experience with no advertisements

Seamless Access Across All Devices

  • Access Business Standard across devices — mobile, tablet, or PC, via web or app

More From This Section

Topics :ZoomApple

First Published: Aug 13 2022 | 2:39 PM IST

Next Story