Zoom Updater Vulnerabilities
Lily Hay Newman (Hacker News):
Wardle found that he could change the name of the software he was trying to sneak through to contain the markers Zoom was broadly looking for and get the malicious package past Zoom’s signature check.
[…]
Wardle found that using a Zoom tool known as updater.app, which facilitates Zoom’s actual update distribution, he could trick the distributor into accepting an old, vulnerable version of Zoom instead, after which an attacker could exploit old flaws to get full control.
[…]
Wardle noticed that there is a moment after the installer verifies the software package—but before the package installs it—when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has.
Zoom has updated its Mac app to address the vulnerability, with version 5.11.5, which is available for download now.
Fyi, you don’t have to give the Zoom installer your admin password:
- Download the Suspicious Package app
- Open the Zoom installer file (.pkg) in Suspicious Package
- Drag the .app file from Suspicious Package into your Applications folder
See also: Bruce Schneier.
Previously:
You can also use the regular installer, choose to install for a single user rather than all users and then there is no admin password request.