Until recently, the Zoom app on the Mac contained a serious security vulnerability that affected the update feature. The video conferencing specialist warned of this in a security bulletin on Saturday. It was therefore possible for processes without admin privileges to gain root rights using the update routine developed by Zoom and thus be able to do almost anything on the system (CVE-2022-28756, CVSS 8.8risk “high“).
Demo exploit already present
The well-known macOS security specialist Patrick Wardle had an exploit for the problem on the Security conference DEFCON in Las Vegas on Friday demonstrated. It was initially unclear whether the bug was also exploited in the wild or only this demo exploit existed. According to Wardle, the problem is a relatively classic privilege escalation. An app that is running with normal rights tries to get root rights via processes (including external ones).
Wardle found what he was looking for in the zoom update routine, which according to the manufacturer was affected in versions 5.7.3 to 5.11.3. The current version for macOS 5.11.5 is patched. Wardle, who runs his own non-profit organization Objective See, which is primarily dedicated to Mac security, explains that Zoom’s update routine installed new packages after verifying that they contained a cryptographic signature of Zoom available.
Long time to fix
However, the bug ensured that the check was not carried out correctly – it was enough that a file only supplied the Zoom certificate and had the name used in it. Zoom then ran any software with root privileges. The potential malware was then able to install and change everything in the system that is possible as a superuser.
Wardle had already discovered the bug in December 2021. Zoom responded with a fix, but it only partially fixed the problem – it found a way to bypass the fix. He then waited another eight months for a real fix. Wardle told IT blog The Verge that it was “a little problematic” for him. He not only reported the errors to Zoom, but also explained to the company their mistakes in implementing the fix. It was “very frustrating” to wait up to eight months while the Zoom versions were vulnerable on all Macs.
The fix should now ensure that root rights can no longer be obtained so easily. However, the patch is still not perfect: According to Wardle, even after the change, there could at least theoretically be another privilege escalation. According to its own statements, Zoom is working on the problem – it is uncertain when the second fix will come. Zoom had already had to fix a serious vulnerability in macOS in 2019 – it was so problematic that Apple intervened.