Zoom installer flaw can give attackers root access to your Mac

By Mike Peterson

A security researcher has discovered a flaw in Zoom on macOS that could allow attackers to gain root access and control the entire operating system -- and the issue has yet to be fully fixed.

Malware

Patrick Wardle, a veteran security researcher who formerly worked for the NSA, shared his findings in a presentation at the Defcon conference in Las Vegas on Friday, according to The Verge.

The attack works by leveraging the Zoom for macOS installer, which requires special user permissions to be able to install or uninstall Zoom from a Mac. More specifically, Wardle discovered that the installer has an auto-update function that continues to run in the background with elevated privileges.

Whenever Zoom issued an update to its video conferencing platform, the auto-updater would install the update after checking that it was legitimate. However, a flaw in the cryptographic verification method meant that an attacker could trick the updater into thinking a malicious file was signed by Zoom.

Since the updater runs with superuser privileges, Wardle found that an attacker could run any program through the update function -- and gain those privileges. And, Zoom let the flaw exist for months.

"To me that was kind of problematic because not only did I report the bugs to Zoom, I also reported mistakes and how to fix the code," Wardle said to The Verge. "So it was really frustrating to wait, what, six, seven, eight months, knowing that all Mac versions of Zoom were sitting on users' computers vulnerable."

As a privilege escalation attack, the flaw could allow attackers to gain "root" or "superuser" privileges on a Mac. In theory, that could allow them to add, remove, or modify any file on the machine.

Although Zoom issued an initial patch a few weeks before the event, Wardle said that the update contained another bug that could have allowed attackers to continue exploiting the flaw.

He soon disclosed the second bug and waited eight months to publish his research.

A few months before the Defcon conference in August, Wardle says that Zoom issued another patch that fixed the bugs he initially discovered. However, this latest patch still contains errors that could allow attackers to leverage the flaw.

The second bug is currently still active in the latest update for Zoom. It's apparently easy to fix, so Wardle hopes that talking about it publicly at Defcon will get Zoom to quickly issue a patch.

How to protect yourself

Since the flaw is still present in the latest version of Zoom, the only way to completely mitigate it is to stop using the Zoom installer. You can also go one step further and delete retained installers.

Alternatively, you can also join Zoom meetings from most standard web browsers.

Updated August 13, 8:30 AM ET Removed erroneous references to Zoom version on Mac App Store.