Update Zoom for Mac Now to Avoid Root Access Vulnerabilities

enlarge/ A critical vulnerability in Zoom for Mac OS allows unauthorized users to downgrade Zoom or even gain root access. Fixed, users should update now.

Getty Images

If you’re using Zoom on a Mac, it’s time to update manually. The latest update to the video conferencing software fixes a An automatic update vulnerability that could allow a malicious program to use its elevated installation privileges to grant elevated privileges and system control.

The vulnerability was funded by the Objective-See Foundation, a non-profit Mac OS security organization It was first discovered by Patrick Wardle, the founder of the Society. Wardle in

Key points on how Zoom’s auto-update utility allows privilege escalation exploits, from Patrick Wardle’s Def Con talk.

looks safe as only Zoom clients can connect to the privileged daemon and only Zoom signed packages can be extracted The problem is by simply passing the validation checker the name of the package it is looking for (“ Zoom Video .. .Certificate Authority Apple Root CA.pkg”), which can bypass this check. This means malicious Actors could force Zoom to downgrade to a buggy, less secure version, or even pass a completely different package to it, allowing them to gain root access to the system.

Wardle disclosed his findings to Zoom prior to the presentation and addressed certain aspects of the vulnerability, But as of Wardle’s keyroot access is still available on Saturday Talk. Later that day, Zoom issued a security bulletin, and a patch for Zoom version 5.11.5 (9788) was released shortly after. You can download the update directly from Zoom, or Click the menu bar option to “Check for Updates”. We do not recommend waiting for automatic updates for a number of reasons. (Update: Clarified Wardle disclosure and update timing).

Zoom’s software security record is spotty, sometimes horrific. The company settled with the FTC in 2020 after admitting years of lying about providing end-to-end encryption. Wardle previously disclosed a Zoom vulnerability that could allow attackers to steal Windows credentials by sending a string of text. Before that, Zoom was found to be running a full unlicensed web server on the Mac, leading Apple to release its own silent update to kill the server.

Last May, a Zoom vulnerability that enabled zero-click remote code execution Similar downgrades and signature check bypasses are used. Ars’ Dan Goodin pointed out that when the fix for this issue arrived, his Zoom client wasn’t actually updated and needed to manually download an intermediate version first. Goodin pointed out that if Zoom users did not update immediately, hackers could quickly exploit an exposed Zoom vulnerability. Of course, minus root access.