Zoom fixes critical vulnerability in macOS app update tool

Zoom has fixed a critical vulnerability in its update tool for macOS. The vulnerability made it possible to obtain root rights on a system. Researcher Patrick Wardle discovered the vulnerability and presented it at DefCon.

Zoom has fixed the vulnerability in version 5.11.5, according to a security bulletin from the company. The vulnerability was designated CVE-2022-28756 and had a cvss severity score of 8.8 out of 10. The vulnerability made it possible for a local user to access the root directory of a system. The leak was only in the macOS version of Zoom.

Security researcher Patrick Wardle presented the vulnerability at the DefCon hacking event in Las Vegas. Wardle showed, among other things, two vulnerabilities in the Zoom updater for macOS, which the researcher reported to Zoom at the end of last year and have since been fixed. However, the security researcher presented a third vulnerability during DefCon, which had not yet been patched.

The researcher found that there was a point during the update process when a Zoom update had already been verified but not yet installed. During that time it was possible to inject your own code. In addition, the researcher managed to trick Zoom’s update tool into reinstalling the current version of the app so that the update process could be started at any time. Users could use those vulnerabilities to gain root access to a system. This vulnerability has now also been resolved by Zoom.