Zoom Video Communications Inc. has issued a patch for a vulnerability revealed by security researcher Patrick Wardle at the annual DEF CON Conference last week.

The vulnerability – CVE-2022-28756 – was found in Zoom for macOS versions 5.7.3 to 5.11.3 and potentially allowed an attacker to gain access and take over an Apple Inc. computer through Zoom’s package installer. The vulnerability has a Common Vulnerabilities and Exposure score of 8.8, with all Mac Zoom users being recommended to update to the latest version of Zoom – 5.11.5 as soon as possible.

The exploit lies in the way the auto-update client in Zoom connects to a privileged daemon. In a rather strange two-step process, someone looking to target a Zoom Mac user could bypass the verification checker within Zoom, tricking the update manager into forcing Zoom to downgrade to an earlier, more easily exploitable version of Zoom or even force it to download an entirely different package. Having taken advantage of the first stage, the more vulnerable version of Zoom, or a different package, would allow the attacker to gain root access to the victim’s Mac.

“The Zoom Client for Meetings for macOS (Standard and for IT Admin)… contains a vulnerability in the auto-update process,” Zoom said in a security bulletin. “A local low-privileged user could exploit this vulnerability to escalate their privileges to root.”

Vulnerabilities in software are nothing new and Zoom has had its fair share in the past, particularly when the software went from a semi-obscure offering to becoming a verb for video conferencing, similar to how Google has become a verb for searching the internet, as remote work became the norm due to the COVID-19 pandemic. Where this vulnerability exposure becomes arguably interesting is that it was exposed before Zoom had a proper patch available for it.

Typically, where a security researcher or so-called “white hat hacker” uncovers a vulnerability, they contact the company behind the flawed software to allow them to patch the issue before details of the vulnerability are published. Zoom was informed of the vulnerability seven months before Wardle went public with the details and had ample opportunity to patch it properly, but failed to do so.

According to Wardle, as reported by Naked Security by Sophos plc, just before DEF CON, Zoom said that it had fixed the vulnerability. However, “after he applied the patch, he noticed that there was still a gaping hole in the update process.” The subsequent fix to the flawed fix then followed after Wardle’s presentation at DEF CON.

Wardle is well known in the security community and at all stages did the right thing in not only informing Zoom but also attempting to assist them in fixing the issue. That it took Zoom seven months to address a known vulnerability and to then only release a flawed update does not reflect well on Zoom at all.

Image: Zoom

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.


Source link

Load More By Michael Smith
Load More In Technology
Comments are closed.

Check Also

Autocar magazine 1 February: on sale now

[ad_1] This week in Autocar, we put Porsche’s new 911 ‘SUV’ through its paces, break the s…