Patrick Wardle is the researcher who spotted and shared his vulnerabilities with Zoom. While the first two are patched, Zoom is said to be working on the third one and asks users to update their clients whenever the latest update is available.
Repeated Vulnerabilities in Zoom Updater
Zoom’s automatic updating option is a fine thing since it keeps your app up to date without you doing it manually every time. But, its Mac variant is infested with a security bug that could allow hackers to gain the root privileges of the target’s device – says a security researcher named Patrick Wardle. Wardle found the exact problem in Zoom automatic updater’s app signature check – which should check the integrity of an update being installed. Wardle said that attackers could bypass this security check by simply naming their malware file accordingly and pushing it to let the updater take it in! Also Read- Best Work From Home Software The automatic updater then blindly installing the malicious update will give attackers the complete privilege the Zoom app has – which could be the root access to Mac. He discovered this bug and shared it with Zoom in December last year, but the patch update Zoom rolled out for this contained yet another fault! This second vulnerability would have let attackers trick the updater tool into accepting an older version of Zoom, circumventing the patch that Zoom has set in place. While Zoom was quick enough to patch this too, Wardle found yet another vulnerability (third) in the same process! He pointed out a time between the auto-installers verification of a software package and the actual installation process, which could allow attackers to inject malicious code into the update. Although attackers need to have existing access to the user’s device to exploit these flaws, this is still a serious issue. Thus, Zoom is working again to patch it and advised users to update to the latest version of the app whenever available. Update as on 14th August, 2022; Zoom has patched the third vulnerability (tracked as CVE-2022-28756) with a new update to its macOS client v5.11.5. Users are urged to update immediately.
