Update Zoom For Mac Right Away To Prevent The Root-access Flaw

zoom update

It’s time for a manual update if you use Zoom on a Mac. The most recent version of the video conferencing software closes a bug in the auto-update feature that may have given malicious apps elevated installing privileges and system control.

Patrick Wardle, the creator of the Objective-See Foundation and a nonprofit organization dedicated to Mac OS security, was the first to identify the flaw. Last week, Wardle explained in a session at Def Con how Zoom’s installer requests a user password when installing or uninstalling but does not require one for its auto-update function, which is turned on by default. Wardle discovered that the root user owns and controls Zoom’s updater.

Only Zoom clients could access the privileged daemon, and only Zoom-signed packages could be extracted, thus it appeared secure. The issue is that this check might be circumvented by simply giving the verification checker the name of the package it was looking for (“Zoom Video… Certification Authority Apple Root CA.pkg”). Because of this, malevolent actors might compel Zoom to downgrade to a buggy, less secure version or even send it a completely different package that would grant them root access to the machine.

Prior to his discussion, Wardle informed Zoom of his discoveries, and while certain portions of the vulnerability were patched, key root access remained accessible as of Wardle’s presentation on Saturday. Later on that day, Zoom released a security bulletin, and shortly after that, Zoom 5.11.5 (9788) received a fix. You can either select “Check for updates” in your menu bar or directly download the update from Zoom. For a number of reasons, we wouldn’t advise waiting for an automated update.

Read More:

Zoom’s software security history is patchy—and occasionally outright unsettling. After acknowledging that it had deceived the FTC for years about providing end-to-end encryption, the firm reached a settlement with them in 2020. Wardle previously disclosed a Zoom flaw that permitted hackers to obtain Windows login information by sending a text message. Before that, Zoom was discovered to be operating a full undocumented web server on Macs, which prompted Apple to release its own quiet update to terminate the server.

A Zoom issue from May of last year employed a comparable downgrade and signature-check bypass to enable zero-click remote code execution. Dan Goodin of Ars observed that his Zoom client did not automatically upgrade when the remedy for that problem was made available; instead, a manual download of an interim version was necessary. If Zoom users aren’t immediately updated, hackers may be able to quickly exploit revealed Zoom vulnerabilities, according to Goodin. Of course, without root access.

Some FAQs

On an outdated Mac, how do you update the zoom?
On your Mac, go to the Zoom Download Page. To download the Zoom Client for Meetings, select the Download option. Hold off till the downloading is finished.

On an outdated Mac, how do you update the zoom?
On your Mac, go to the Zoom Download Page. To download the Zoom Client for Meetings, select the Download option. Hold off till the downloading is finished. On an outdated Mac.

May 23, 2022 version 5.10. 6 (5889)
Installing Zoom (Mac)
  1. Go to the Zoom Download page.
  2. On the “Zoom Software Download Center” page, download the first option Zoom Client for Meetings.
  3. Once the download is complete, open the Finder. …
  4. In the pop-up window, click Continue to run the installer program.
  5. Follow the prompts to complete the install process.