The macOS installer for Zoom installer could let hackers hijack your device

Zoom has patched a serious security flaw that could have allowed hackers to take over a macOS device running the video conferencing software. 

The move came after Mac security specialist Patrick Wardle demonstrated how a threat actor could abuse the way macOS handles software patches to trigger an escalation of privilege and essentially take over the device. 

Initially, he said the vulnerability leveraged multiple flaws, and that the company addressed most of them. One remained, however, and that one was patched on a later date to finally fully mitigate the issue.

Tricking the updater

The problem lies in the way macOS handles updates. When a user first tries to install an app or a program on the endpoint, they need to run with special user permissions, often given by submitting a password. After that, auto-updates run indefinitely, with superuser privileges. 

In Zoom’s case, the updater would first check to see if the company cryptographically signed the new package, and if so, proceed with the update. However, should the updater get any file with the same name as Zoom’s signing certificate, it would run it. In other words, an attacker could slip in any malware through the updater, even if it meant giving a third party full access to the device.

The flaw was later identified as CVE-2022-28756, and was fixed in Zoom version 5.11.5 for macOS, which is available now to download.

Even though at first Wardle described the flaw as relatively easy to fix, even he was surprised at the speed at which Zoom addressed the issue: “Mahalos to Zoom for the (incredibly) quick fix!” Wardle tweeted afterwards. “Reversing the patch, we see the Zoom installer now invokes lchown to update the permissions of the update .pkg, thus preventing malicious subversion.”

Via: The Verge