A cybersecurity researcher has discovered a way an attacker can take advantage of the macOS version of Zoom to gain access to the entire operating system.
Details of the vulnerability were revealed in a presentation given by Mac security specialist Patrick Wardle at a hacking conference in Las Vegas on Friday.
Some bugs have already been fixed, but the researcher also provided one uncorrected security vulnerability that still affects the systems so far, according to the magazine.The Verge“.
The vulnerability appears by targeting the Zoom application installer, which needs to run with special permission from the user, in order to install or remove it from the computer.
Although the installer requires the user to enter their password when the app is first added to the system, Wardle has found that the auto-update function then runs continuously in the background with user privileges.
And when the Zoom app released its latest update, it installed a new package of protection mechanisms after verifying its signature in encrypted form.
But any error in how the examination method is implemented means giving the updater an opportunity to access the application, such as entering a file with a name similar to the Zoom signature certificate, “as this will be enough to pass those mechanisms,” according to the same specialist.
As a result, the attacker has already gained initial access to the target system and then uses another vulnerability to gain a higher level of access.
In this case, the attacker starts with a restricted user account but escalates to the most powerful user type, known as a “super user” allowing him to add, remove, or modify any files on the device.
Wardle is the founder of the Objective-See Foundation, a nonprofit that creates open source security tools for macOS.
Wardel reported the vulnerability to Zoom in December of last year, but was frustrated, saying that the initial fix from Zoom contained another bug meaning that the vulnerability was still exploitable in a slightly roundabout way, so this second bug was revealed to Zoom. and waited eight months before publishing the research.