• Home
  • Apps
  • Apps News
  • Zoom Fixes Security Flaws in Mac That Could Have Allowed Hackers to Take Control of Victim's Machine

Zoom Fixes Security Flaws in Mac That Could Have Allowed Hackers to Take Control of Victim's Machine

Zoom has a total of three security flaws were reported since December 2021.

Zoom Fixes Security Flaws in Mac That Could Have Allowed Hackers to Take Control of Victim's Machine

Photo Credit: Twitter/ Zoom

Security flaws were found in Zoom installer

  • Fix for first two flaws had another vulnerability
  • Hackers could have injected malicious software
  • Some pre-access was needed to infect machine

Zoom has fixed vulnerabilities that could have allowed hackers to leverage the loophole and gain total control of a victim's machine. The issues were found and reported to Zoom in December 2021 but were shared at the DefCon security conference by Mac security researcher Patrick Wardle in Las Vegas last week. He said that he highlighted two issues in the automatic update feature of the video communication platform last year, which were fixed. However, the fix also brought in another vulnerability which Wardle shared onstage at the conference. Zoom has also plugged the third flaw.

As per multiple reports by The Verge and Wired, the first security flaw found by Wardle, who is a security researcher and founder of the Objective-See Foundation that creates open-source macOS security tools, was in the Zoom installer. The second one was in the tool that helped in confirming the cryptographic signatures needed to install updates. Zoom has patched the vulnerabilities and the patched version is now available for download.

But how did the vulnerability expose the users? The Zoom installer asks the users to punch in their credentials or cryptographic signatures as special permissions to remove or install the app. Once done, the Zoom app automatically downloads and installs security patches by checking the signature. The first vulnerability could have allowed an attacker to replace the signature that offers privileges, allowing the installer to install a malicious update, and exploit it.

The second vulnerability was found in a tool that facilitated the checking of cryptographic signatures. When the Zoom app is installed on a Mac machine, the system takes help of a standard macOS helper tool to confirm the signature and check whether the update that is being delivered is fresh — essentially restricting hackers to install an old, flawed version. Wardle found that a flaw could allow the hackers to trick the tool into accepting an old vulnerable version and taking total control of the victim's machine.

There was also a third vulnerability which Wardle found and discussed on stage last week. He said after patching the first two flaws, where Zoom now conducts its signature check securely and plugged the downgrade attack opportunity, there was still a third opportunity for hackers to exploit a loophole. He noticed that there is a moment after the signature verification and before the package is being installed on the system when attackers could inject their own malicious software into the Zoom update.

This malicious software can retain all the privileges and checks needed to install the update. An attacker could force the Zoom app user to reinstall the update in order to get multiple opportunities to insert a malicious patch and gain root access to the victim's device — just like Wardle did. However, the security researcher says that to exploit any of these flaws, a hacker should have some access to the victim's machine. Moreover, Zoom has also plugged the third flaw.

What should you make of Realme's three new offerings? We discuss them on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Further reading: Zoom, Cybersecurity, Apple, Mac
Sourabh Kulesh
Sourabh Kulesh is a Chief Sub Editor at Gadgets 360. He has worked in a national daily newspaper, a news agency, a magazine and now writing technology news online. He has knowledge on a wide gamut of topics related to cybersecurity, enterprise and consumer technology. Write to sourabhk@ndtv.com or get in touch on Twitter through his handle @KuleshSourabh. More
Vivo V25 5G Alleged Hands-On Video Surfaces Online Ahead of Launch; Specifications Tipped: All Details
Indian Predator: The Diary of a Serial Killer Release Date Set for September 7 on Netflix
Share on Facebook Tweet Snapchat Share Reddit Comment google-newsGoogle News


Follow Us


© Copyright Red Pixels Ventures Limited 2022. All rights reserved.