A security expert has discovered a technique that an attacker might use Zoom on macOS to take control of the entire operating system.
In a lecture on Friday at the Def Con hacking convention in Las Vegas, Mac security expert Patrick Wardle provided details of the exploit. Zoom has already patched some of the issues implicated, but the researcher also identified one vulnerability that hasn’t been repaired yet and is still affecting systems.
The core Zoom program must be installed or removed from a computer using the Zoom installer, which is where the exploit is active. This installer requires special user permissions to run. Even though the installer requests a password from the user when adding the program to the system for the first time, Wardle discovered that an auto-update function thereafter ran continuously in the background with superuser rights.
When Zoom released an update, the updater mechanism would first verify that the new framework had been cryptographically signed by Zoom before installing it. However, a flaw in the way the checking method was implemented meant that providing the updater with any file bearing Zoom’s signing certificate’s name would be sufficient to pass the test. In the end, an attacker could replace any type of ransomware and have the firmware run it with administrative access.
The outcome is a privilege escalation attack, in which the assailant presupposes they have already gotten access to the target system and uses an exploit to get a higher level of access. Here, the attacker starts out with a limited user account before rising to the level of “superuser” or “root,” which gives them access to all files on the system and gives them the ability to add, remove, or edit them.
The Objective-See Foundation, a nonprofit organization founded by Wardle and producing free security software for Apple’s macOS, is a charity. Wardle previously described the illicit usage of methods taken from his open-source security software by for-profit organizations at the Black Hat cyber security conference, which was held the same week as Def Con.
In December of last year, Wardle notified Zoom of the vulnerability in accordance with appropriate disclosure guidelines. He claims that a Zoom first remedy had a second problem that made the vulnerability still accessible in a little more complicated manner. Outraged, he reported the second bug to Zoom and postponed disclosing the findings for eight months.
In a call with The Verge before to the talk, Wardle said, “To me that was kind of troubling because not only did I report the issues to Zoom, I also identified errors and how to improve the code.” “Since all Mac versions of Zoom were vulnerable on customers’ machines, it was incredibly frustrating to wait, like, six, seven, or eight months.”
Wardle claims Zoom released a patch to address the problems he had previously found a few weeks before to the Def Con convention. But upon careful inspection, a different little mistake indicated that the problem was still accessible.
A file that has to be updated is first transferred to a path controlled by the “root” user in the new version of the update installer. This often indicates that no user without root authority is able to add, remove, or alter files in this directory. But because of a complexity of Unix systems (among which macOS is one), an existing file has the same read-write authorizations when it is transferred from another location to the root directory. So, in this instance, an ordinary user can still make changes. Furthermore, because it is modifiable, a remote hacker might still use it to gain root access by replacing the contents of that file with a different file of their selection.
Although this flaw is still active in Zoom, Wardle claims it’s fairly simple to solve and that he thinks bringing it up officially will “oil the wheels” for the firm to address it as soon as possible.
The Zoom auto updater for macOS has a recently disclosed vulnerability, which we are actively addressing, according to Matt Nagel, Zoom’s safety and privacy PR director, in a response to The Edge.