Zoom has fixed vulnerabilities that could have allowed hackers to leverage the loophole and gain total control of a victim’s machine. The issues were found and reported to Zoom in December 2021 but were shared at the DefCon security conference by Mac security researcher Patrick Wardle in Las Vegas last week. He said that he highlighted two issues in the automatic update feature of the video communication platform last year, which were fixed. However, the fix also brought in another vulnerability which Wardle shared onstage at the conference. Zoom has also plugged the third flaw.
As per multiple reports by The Verge and Wired, the first security flaw found by Wardle, who is a security researcher and founder of the Objective-See Foundation that creates open-source macOS security tools, was in the Zoom installer. The second one was in the tool that helped in confirming the cryptographic signatures needed to install updates. Zoom has patched the vulnerabilities and the patched version is now available for download.
But how did the vulnerability expose the users? The Zoom installer asks the users to punch in their credentials or cryptographic signatures as special permissions to remove or install the app. Once done, the Zoom app automatically downloads and installs security patches by checking the signature. The first vulnerability could have allowed an attacker to replace the signature that offers privileges, allowing the installer to install a malicious update, and exploit it.
The second vulnerability was found in a tool that facilitated the checking of cryptographic signatures. When the Zoom app is installed on a Mac machine, the system takes help of a standard macOS helper tool to confirm the signature and check whether the update that is being delivered is fresh — essentially restricting hackers to install an old, flawed version. Wardle found that a flaw could allow the hackers to trick the tool into accepting an old vulnerable version and taking total control of the victim’s machine.
There was also a third vulnerability which Wardle found and discussed on stage last week. He said after patching the first two flaws, where Zoom now conducts its signature check securely and plugged the downgrade attack opportunity, there was still a third opportunity for hackers to exploit a loophole. He noticed that there is a moment after the signature verification and before the package is being installed on the system when attackers could inject their own malicious software into the Zoom update.
This malicious software can retain all the privileges and checks needed to install the update. An attacker could force the Zoom app user to reinstall the update in order to get multiple opportunities to insert a malicious patch and gain root access to the victim’s device — just like Wardle did. However, the security researcher says that to exploit any of these flaws, a hacker should have some access to the victim’s machine. Moreover, Zoom has also plugged the third flaw.