Zoom has released a patch for its Mac app, fixing a vulnerability in its automatic updating function that could grant macOS root privileges to an attacker.
Revealed at the Def Con hacking conference on Friday, Patrick Wardle of Objective-See detailed an unpatched vulnerability in Zoom. After multiple attempts, Zoom released another patch on Saturday to try and kill off the exploit.
Despite having followed responsible disclosure protocols, and informing Zoom in December 2021, Wardle found that attempts to fix the exploitable bug by Zoom fell a little short.
Wardle discovered a privilege escalation attack in the Zoom application, specifically one that takes advantage of the installer for Zoom itself. After needing a user to enter the password on the first installation to a Mac, the auto-updater continued to operate with superuser privileges.
Further updates from Zoom would have the updater installing it after checking it was signed by Zoom. However, Wardle found the updater would work with any file that had the same name as Zoom's signing certificate, creating an opening for an attack.
Frustratingly, Wardle told Zoom in December, but then saw that an initial fix contained another bug that kept the vulnerability exploitable. Wardle then told Zoom about the second bug, and waited.
Weeks before Def Con, Zoom issued a patch to fix the initial bug, but that too had an exploitable element that allowed the exploit to work.
On August 13, Zoom released another patch for its macOS client, again targeting the same vulnerability. The security bulletin page describes the issue as affecting Zoom Clients for macOS from version 5.7.3 onwards, with the patch itself bringing the app to version 5.11.5.