Latest Zoom update on Mac had loophole for hackers

Zoom pronouns meetings webinars user profiles gender

An update for the virtual meeting platform Zoom on MacOS could have allowed a hacker to control a user’s operating system.

Zoom attended to the issue with an update to the patch and acknowledged the issue (CVE-2022-28756).

Versions 5.7.3 to 5.11.5 of the MacOs app contained a vulnerability in the auto-update process that could be exploited by a local low-privileged user to gain root privileges to the operating system.

The vulnerability has been patched with the Zoom app for MacOS readily available.

The dropped ball was flagged by Mac security researcher Patrick Wardle.

In Zooms August security bulletin the virtual meeting platform confirmed: “A local low-privileged user could exploit this vulnerability to escalate their privileges to root.

“Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https: //”

The researcher who flagged the issue was quick to laud Zoom for their incredibly quick fix to attend to the issue.

At the Def Con hacking conference in Las Vegas Wardle picked up a way to leverage the MacOS version of Zoom only for Zoom to galvanize some bugs.

How it works

The initial Zoom update meant the updater function would install the new package after authenticating its cryptography by Zoom.

A bug in the checking method meant providing the updater any file with the same name as Zoom’s signing certificate.

This would be enough to pass through, meaning a hacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.

In simple terms, once the attacker has gained initial access to the target system, they may exploit the system further to a higher level of control.

Also read: WATCH: MultiVersus season 1 game fights back after delay



Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.