Since the beginning of the COVID 19 pandemic, video conferencing apps like Zoom have become an indispensable part of our everyday lives. It’s just a shame when they have a security hole that still hasn’t been plugged after eight months. This is exactly the case with Zoom. Eight months after it was reported to the provider in December 2021, a researcher has now published the gap because it has still not been fixed.
Zoom vulnerability still open
Zoom is one of the best video conferencing apps for us, and it’s hard to imagine everyday life without it. However, since at least December 2021, there has been a huge Zoom security hole in the program.
To be more precise, there are even several security holes that security researcher Patrick Wardle has now made public at the hacker conference Def Con. A zero day vulnerability under macOS has still not been fixed, as Wardle explains in the report from The Verge. Other problems, however, have since been fixed, he said.
Zoom responds: At least Zoom finally updated its Mac app yesterday, as a follow-up to the reporting. The new app with version 5.11.5 you should download, because this – according to the manufacturer – exactly this vulnerability now finally closed.
Updater with security hole
The vulnerability affects the program’s installer, which requires special user permissions to install or remove Zoom. During the initial installation, Zoom requires the user’s password, but this is no longer requested during the automatic update function, which runs steadily in the background. And requests super-user rights.
The updater checks whether a downloaded file is cryptographically signed, but this can easily be fooled by a bug. Any file with the same certificate signature could be used to trick the program.
This means that attackers can simply bypass the verification and easily execute malware with administrator rights. However, this is only possible if the attackers have already gained access to the system in some other way. But then they have free access to the affected system.
Security flaw was open for eight months
Wardle says he reported the security flaw to Zoom Video Communications, Inc. as early as December 2021, and they responded promptly. However, the fix resulted in another bug that allowed the addressed vulnerability to continue to run without a problem.
“It was kind of problematic for me because I not only submitted the bugs to Zoom, but I also pointed out the bugs and revealed how to fix the code,” Wardle told The Verge.
Now, he said, after eight frustrating months of waiting, he has decided to make the Zoom security flaw public. And this time, the vendor seems to have actually gotten a handle on the problem.
After releasing another patch just recently, a few weeks before Def Con, which managed to fix the original bug, but still didn’t close the security hole. But now Zoom seems to have finally got a handle on the app’s security flaw for macOS. Or maybe not?
No replies yet
Neue Antworten laden...
Gehört zum Inventar
Beteilige dich an der Diskussion in der Basic Tutorials Community →