Zoom Installer Flaw can Give Attackers Root Access to Mac

A security researcher discovered a way for an attacker to use the macOS version of Zoom to obtain complete control of the operating system.

Details of the attack were revealed last week at the Def Con hacking conference in Las Vegas by Mac security specialist Patrick Wardle.

Zoom has already fixed some of the issues implicated, but the researcher also disclosed one unpatched vulnerability that continues to affect systems. The exploit targets the Zoom application’s installer, which requires special user permissions to run in order to install or remove the main Zoom application from a computer.

Despite the fact that the installer needs a user to input their password when first installing the application, Wardle discovered that an auto-update mechanism then ran in the background with superuser access.

When Zoom issued an update, the updater function installed it after ensuring that it was cryptographically signed by Zoom.

However, due to a bug in how the checking method was implemented, giving the updater any file with the same name as Zoom’s signing certificate was enough to pass the test, allowing an attacker to substitute any malware program and have it run by the updater with elevated privilege, according to the report.

As a result, a privilege escalation attack occurs, in which an attacker assumes initial access to the target system and then applies an exploit to achieve a higher level of access.

In this case, the attacker starts with a restricted user account and then progresses to the most powerful user type, called as a ‘superuser’ or ‘root’, which allows them to add, remove, or modify any files on the machine.