Zoom fixes dangerous flaw on Mac - for the third time

Security researcher finds that the squeaky wheel gets the grease

Zoom has patched a bug on MacOS that an attacker could use to take control of a victim's system.

Zoom released a fix for the flaw, CVE-2022-28756, in v5.11.5 of its Mac release, which is available now.

Security researcher Patrick Wardle first discovered the flaw, which was present in versions 5.7.3 to version 5.11.3 of Zoom's macOS app. He presented it at the DefCon conference in Las Vegas last week.

Wardle explained that the exploit targets the Zoom installer, which requires special user permissions to run. This part of the Zoom app would download and install updates after checking they had been cryptographically signed by Zoom. However, by including Zoom's own cryptographic signature on the package an attacker could substitute the programme for any other kind of file - like malware - and have the updater run it with elevated privilege.

The consequences depended on what the attacker sent, but it was possible for criminals to have nearly unrestricted access to the system. They could even leverage this access to gain root privileges, turning it into a privilege escalation attack.

Wardle first told Zoom about the flaw in December last year. However, the company's initial fix contained another vulnerability that simply changed the required method of attack.

After sharing this second bug with Zoom, Wardle waited eight months until sharing his findings at DefCon. In that time the firm issued another patch...but the bug remained exploitable due to a small error.

After Wardle went public with the bug and his suggested fixes, Zoom released a patch that did, finally, close the vulnerability.

"Reversing the patch, we see the Zoom installer now invokes lchown to update the permissions of the update .pkg, thus preventing malicious subversion," Wardle tweeted.