Mac users at risk with Zoom's auto update feature, says security researcher
Zoom’s auto-update feature that makes it easy to keep the software up to date also comes with certain security risks on Mac, said Partick Wardle, a long-time Mac security researcher, who presented a ‘new’ bug in Zoom's automatic update feature on August 12. Although Zoom has fixed some of its bug issues, Wardle said that there was one unpatched vulnerability remains that may affect systems now.
At the security conference DefCon 2022 held in Las Vegas last week, Wardle, also a founder of the Objective-See Foundation, a non-profit that creates open-source macOS security tools explained that when targeting the installer of the application, special user permission is needed to install or remove Zoom from a computer.
According to him, “when a certain user is entering a password, the auto-update function is continuously running in the background with privileges to access the information. Following this, the power to control, add, modify, and remove files on the user's machine is in the hands of the attacker as they have already gained initial access to the target.”
The first vulnerability Wardle found was in the cryptographic signature check. It’s a sort of wax-seal check to confirm the integrity and provenance of software. Wardle found that attackers can change the name of the software – say, for example, a legal document - they want to steal by naming your package in a certain way and fully bypassing Zoom’s signature check.
In the second vulnerability Wardle found that using a Zoom tool known as 'updater.app', which facilitates Zoom’s actual update distribution, criminals could trick the distributor into accepting an old, vulnerable version of Zoom instead, after which an attacker could exploit old flaws to get full control.
In an August 13 security bulletin, Zoom said that they have already resolved these security issues and recommend users keep up with the latest update of the application.
Wardle agreed that some vulnerability in the presentation were already resolved by Zoom, as he informed the company in December 2021. Yet, in the latest interview with The Verge, Wardle mentioned more needs to be done as these vulnerabilities like a chained system led to another bug and can cause further damage to the user.
Zoom has already received criticism for 'zoom-bombing' a cyber-harassment where people interrupt online meetings via the conference application and other security issues during the pandemic and later, when hundreds and thousands of people, including office workers and students were working from home fully online.
“There's always a potential tradeoff between usability and security, and it's important for users to install updates. But if it's opening this broad attack surface that could be exploited, that's less than ideal,” Wardle said.