First revealed by Patrick Wardle, versions 5.7.3 to 5.11.3 of Zoom on macOS devices contain a vulnerability that can give hackers root privileges.
Zoom has issued a patch for a serious security flaw in its macOS app that could allow a hacker to control of a user’s operating system.
In a security bulletin update on Saturday (13 August), Zoom said version 5.7.3 to version 5.11.3 of its macOS app contains a vulnerability in the auto-update process that can be exploited by a local low-privileged user to “escalate their privileges to root”.
First reported by MacRumors, the security flaw was revealed by Mac security researcher Patrick Wardle at hacking conference DEF CON, one of the world’s largest hacking conferences, held in Las Vegas last week.
Zoom released the patch soon after Wardle presented to the audience how easy it was to access a user’s system using the vulnerability, gaining access to permissions such as modifying, deleting and adding files on the device. He added further details of the hack on Twitter.
Mahalo to everybody who came to my @defcon talk “You’re M̶u̶t̶e̶d̶ Rooted” 🙏🏽
Was stoked to talk about (& live-demo 😅) a local priv-esc vulnerability in Zoom (for macOS).
Currently there is no patch 👀😱
Slides with full details & PoC exploit: https://t.co/viee0Yd5o2 #0day pic.twitter.com/9dW7DdUm7P
— patrick wardle (@patrickwardle) August 12, 2022
“Mahalos to Zoom for the (incredibly) quick fix!” Wardle tweeted in the thread after Zoom released the update. “Reversing the patch, we see the Zoom installer now invokes lchown to update the permissions of the update .pkg, thus preventing malicious subversion.”
Wardle is a former US National Security Agency hacker and founder of the Objective-See Foundation, a non-profit that develops open-source macOS security tools.
In 2017, Wardle claimed to have revealed a password exfiltration vulnerability in macOS High Sierra being rolled out at the time. He demonstrated that it was possible to steal every password in plain text using an app downloaded from the internet without needing the Mac’s Keychain master login.
Zoom classified the latest vulnerability as ‘high’ and urged users to download the latest version of the app to prevent being exploited by hackers.
“Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download,” the company wrote in its security bulletin update.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
Source by www.siliconrepublic.com
