A cybersecurity researcher has revealed a vulnerability in the “Zoom” communication application, through which it can attack the Mac OS version.
The details of the vulnerability were revealed in a presentation given by Patrick Wardle, a Mac security specialist, at a hacking conference in Las Vegas, organized on Friday.
Some bugs have already been fixed, but the researcher also provided one uncorrected security vulnerability that still affects the systems so far, according to what The Verge reported.
The vulnerability appears by targeting the installation program of the “Zoom” application, which needs to run with special permission from the user, in order to install or remove it from the computer.
Although the installer requires the user to enter their password when the app is first added to the system, Wardle has found that the auto-update function then runs continuously in the background with user privileges.
When the Zoom app released its latest update, it installed a new package of protection mechanisms following verifying its signature in encrypted form.
But any error in how the examination method is implemented means giving the updater an opportunity to access the application, such as entering a file with a name similar to the Zoom signature certificate, “as this will be enough to pass those mechanisms,” according to the same specialist.
As a result, the attacker has already gained initial access to the target system and then uses another vulnerability to gain a higher level of access.
In this case, the attacker starts with a restricted user account but escalates to the most powerful user type, known as a “super user”, allowing him to add, remove, or modify any files on the device.
Wardle is the founder of the Objective Sea Foundation, a nonprofit that creates open source security tools for Mac OS X.
Wardle reported the vulnerability to Zoom in December of last year, but was frustrated, saying that the initial fix from Zoom contained another bug that means the vulnerability is still exploitable in a slightly roundregarding way, so he exposed this bug. The second was for Zoom, and waited eight months before publishing the research.