![]() If you are on macOS 10.10 or above, the script will delete the file "ZoomAudioDevice.kext" from the .app bundle. If run by an administrator, the script also executes a script as root to change the ownership of .app to root:admin. It also adds Zoom to your Dock automatically, without asking.īizarrely, .app is installed by unzipping a 7-zip archive, then unzipping another 7-zip archive containing graphics and copying that inside the Frameworks folder in the .app bundle. If they are an administrator, Zoom will delete the ugin from /Library if it's there, but it still installs to ~/Library. If the user opening the package isn't an administrator, it looks like it will install the app in the user's home folder instead. The script appears to install two items, namely: /Applications/.app That's bonkers, and also means that the system won't have a list of the files it installed, because it's doing it using shell script. Rather than actually using the installer to install things, it does everything in the preinstall script. “A local low-privileged user could exploit this vulnerability to escalate their privileges to root,” the company wrote in its advisory.The Zoom install package for macOS is mad. Update Monday, August 15, 2022, at 2:10 pm ET: The day after Wardle's talk, Zoom released a patch for the flaw he disclosed at DefCon. But Wardle’s findings are an important reminder to keep updating-automatically or not. To exploit any of these flaws, an attacker would need to already have an initial foothold in a target’s device, so you’re not in imminent danger of having your Zoom remotely attacked. But if it’s opening this broad attack surface that could be exploited, that’s less than ideal.” “There’s always a potential tradeoff between usability and security, and it’s important for users to install updates for sure. ![]() “The main reason I looked at this is that Zoom is running on my own computer,” Wardle says. The attacker can then have as many opportunities as they want to attempt to insert their malicious code and gain the Zoom automatic update installer’s root access to the victim device. Under normal circumstances, an attacker would be able to grab this opportunity only when a user is installing a Zoom update anyway, but Wardle found a way to trick Zoom into reinstalling its own current version. But Wardle noticed that there is a moment after the installer verifies the software package-but before the package installs it-when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has. Zoom now conducts its signature check securely, and the company plugged the downgrade attack opportunity. “As always, we recommend users keep up to date with the latest version of Zoom … Zoom also offers automatic updates to help users stay on the latest version.”ĭuring his talk at DefCon, though, Wardle announced another Mac vulnerability he discovered in the installer itself. “We have already resolved these security issues,” a Zoom spokesperson told WIRED in a statement. In other words, Wardle found that he could change the name of the software he was trying to sneak through to contain the markers Zoom was broadly looking for and get the malicious package past Zoom’s signature check. Zoom’s signature check was essentially looking at everything on the table and accepting the random birthday card signature instead of actually checking whether the signature was in the right place on the right document. Imagine that you carefully sign a legal document and then put the piece of paper facedown on a table next to a birthday card that you signed more casually for your sister. Ultimately, he realized that Zoom’s check could be defeated. (It’s a sort of wax-seal check to confirm the integrity and provenance of software.) Wardle knew from past research and his own software development that it can be difficult to truly validate signatures in the types of conditions Zoom had set up. The first vulnerability Wardle found, though, was in the cryptographic signature check.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |