“All you do is name your package in a certain way, and then you can fully bypass their cryptographic checks,” Wardle says.
In the second vulnerability Wardle found that, while Zoom had created a check to confirm that an update being delivered was a new version, he could get around this if he offered software that had passed the signature check directly to a flaw in how the updater app received software to distribute. Wardle found that using a Zoom tool known as updater.app, which facilitates Zoom’s actual update distribution, he could trick the distributor into accepting an old, vulnerable version of Zoom instead, after which an attacker could exploit old flaws to get full control.
“We have already resolved these security issues,” a Zoom spokesperson told WIRED in a statement. “As always, we recommend users keep up to date with the latest version of Zoom … Zoom also offers automatic updates to help users stay on the latest version.”
During his talk at DefCon, though, Wardle announced another Mac vulnerability he discovered in the installer itself. Zoom now conducts its signature check securely, and the company plugged the downgrade attack opportunity. But Wardle noticed that there is a moment after the installer verifies the software package—but before the package installs it—when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has. Under normal circumstances, an attacker would be able to grab this opportunity only when a user is installing a Zoom update anyway, but Wardle found a way to trick Zoom into reinstalling its own current version. The attacker can then have as many opportunities as they want to attempt to insert their malicious code and gain the Zoom automatic update installer’s root access to the victim device.
“The main reason I looked at this is that Zoom is running on my own computer,” Wardle says. “There’s always a potential tradeoff between usability and security, and it’s important for users to install updates for sure. But if it’s opening this broad attack surface that could be exploited, that’s less than ideal.”
To exploit any of these flaws, an attacker would need to already have an initial foothold in a target’s device, so you’re not in imminent danger of having your Zoom remotely attacked. But Wardle’s findings are an important reminder to keep updating—automatically or not.
Update Monday, August 15, 2022, at 2:10 pm ET: The day after Wardle’s talk, Zoom released a patch for the flaw he disclosed at DefCon. “A local low-privileged user could exploit this vulnerability to escalate their privileges to root,” the company wrote in its advisory.
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest For News Update Click Here
