A PSA for Mac owners who use Zoom for their meetings and family video calls: update your software right away. The company has acted quickly to patch a serious security weakness that could allow a hacker to take control of macOS, letting them edit, add or even delete files at will.
The exploit is blocked in version 5.11.5 of the Zoom app for macOS, and affected users should make the update immediately. The vulnerability got a CVSS score of 8.8 on the company’s security bulletin (opens in new tab), denoting it of “high” severity.
It marks a quick turnaround for Zoom’s developers, as the bug was only exposed at the DEF CON hacking conference on Friday (August 12). The security researcher who found the weakness, Patrick Wardle, was certainly impressed, tweeting (opens in new tab): “Mahalos to @Zoom for the (incredibly) quick fix!”
The Verge (opens in new tab), which attended the event last week, has more details on the now-defanged vulnerability, which targeted the installer of the Zoom application. Wardle found that while the installer required a Mac owner to enter a password for installations, the auto-update function ran in the background with superuser privileges.
The updater would check that updates officially distributed by the developers had been cryptographically signed. But Wardle discovered that feeding the updater any file with the same credentials would fool it, allowing malicious types to substitute malware of their choosing to run on a Mac with Zoom open.
That loophole is now, thankfully, closed. Wardle followed up on his congratulatory tweet by explaining exactly how Zoom had made the fix (opens in new tab).
“Reversing the patch, we see the Zoom installer now invokes lchown to update the permissions of the update .pkg, thus preventing malicious subversions,” he explained — accompanied with a padlock and thumbs up emoji, suggesting this gets the Wardle seal of approval.
Reversing the patch, we see the Zoom installer now invokes lchown to update the permissions of the update .pkg, thus preventing malicious subversions 🔐👍🏽 pic.twitter.com/00xjqKQsXsAugust 14, 2022
To update Zoom on your Mac, load it up and then click zoom.us (or whatever your geographical equivalent is) from the menu bar at the top of the screen. Select “Check for updates” and Zoom should pop open a window giving you the details of what’s included. Click “Update” and your download will begin.