A security researcher has discovered two vulnerabilities in the video calling software update tool Zoom for macOS that allowed root access. After the company patched the vulnerabilities, the man discovered a new vulnerability.
Security researcher Patrick Wardle shared his findings at the DefCon hacker event in Las Vegas. There, he explained how to bypass the signature check of Zoom’s automatic update tool for macOS. Through a first vulnerability, CVE-2022-28751, users only had to change the filename of a file so that it contained the same values as the certificate the update tool was looking for. “You just have to give the software a certain name and you are so past cryptographic control”, suggested the man to Wired.
Wardle had informed Zoom about the vulnerability at the end of 2021 and the fix that the company had released then contained a new vulnerability, according to Wardle. He was able to get Zoom’s updater.app for macOS to accept an older version of the video calling software, so it started distributing that version instead of the most recent version. Malicious parties were suddenly given the opportunity to exploit vulnerabilities in older Zoom software via vulnerability CVE2022-22781. Got, because Zoom has now fixed the two vulnerabilities above via an update.
But Wardle also found a vulnerability there, CVE-2022-28756. According to the man, it is currently possible to make changes to the package after the verification of a software package by the Zoom installer. The software package retains its read-write permissions in macOS and can still be modified between the cryptographic check and the installation. Zoom, meanwhile, responded to Wardle’s new revelations. The company says it is working on a solution.
Zoom on macOS