Zoom updates macOS installer to remove malware-like exploits
Video conferencing app Zoom has updated its macOS installer, removing the installation process that was described as "shady" that it had recently been criticized for.
The Zoom app was able to be installed on a Mac without a user's final consent, as discovered by software engineer Felix Seele.
Ever wondered how the @zoom_us macOS installer does it's job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M— Felix (@c1truz_) March 30, 2020
Zoom's CEO responded, saying that the installer was meant to simplify the process, as many new users may not be able to join a meeting without the exploits quickly. The company made note that since the outbreak of the COVID-19 pandemic, they ballooned from 10 million daily users to over 200 million daily users.
Despite the company's reasoning, public backlash was intense. On Thursday, Zoom issued a new update, replacing the "shady" installer with a more traditional one.
"They completely removed the preinstall stuff, so you now need to click through the installer as it ought to be," explains Seele in a message to The Verge. The fake prompt has also been removed so users have to specifically click through and install Zoom. "I must say that I am impressed," says Seele. "I expected them to maybe change the dialog, but since the 'zero-click' aspect was so important to them, I thought they would stick with the preinstall-trick."
The company has said they will undergo a 90-day feature and development freeze to work on security issues and fix existing problems.
The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.
Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.
Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.
On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.
In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.