Zoom Fixes Security Flaws in Mac That Could Have Allowed Hackers to Take Control of Victim's Machine

Zoom has a total of three security flaws were reported since December 2021.

Advertisement
By Sourabh Kulesh | Updated: 16 August 2022 13:33 IST
Highlights
  • Fix for first two flaws had another vulnerability
  • Hackers could have injected malicious software
  • Some pre-access was needed to infect machine

Security flaws were found in Zoom installer

Photo Credit: Twitter/ Zoom

Zoom has fixed vulnerabilities that could have allowed hackers to leverage the loophole and gain total control of a victim's machine. The issues were found and reported to Zoom in December 2021 but were shared at the DefCon security conference by Mac security researcher Patrick Wardle in Las Vegas last week. He said that he highlighted two issues in the automatic update feature of the video communication platform last year, which were fixed. However, the fix also brought in another vulnerability which Wardle shared onstage at the conference. Zoom has also plugged the third flaw.

As per multiple reports by The Verge and Wired, the first security flaw found by Wardle, who is a security researcher and founder of the Objective-See Foundation that creates open-source macOS security tools, was in the Zoom installer. The second one was in the tool that helped in confirming the cryptographic signatures needed to install updates. Zoom has patched the vulnerabilities and the patched version is now available for download.

Advertisement

But how did the vulnerability expose the users? The Zoom installer asks the users to punch in their credentials or cryptographic signatures as special permissions to remove or install the app. Once done, the Zoom app automatically downloads and installs security patches by checking the signature. The first vulnerability could have allowed an attacker to replace the signature that offers privileges, allowing the installer to install a malicious update, and exploit it.

The second vulnerability was found in a tool that facilitated the checking of cryptographic signatures. When the Zoom app is installed on a Mac machine, the system takes help of a standard macOS helper tool to confirm the signature and check whether the update that is being delivered is fresh — essentially restricting hackers to install an old, flawed version. Wardle found that a flaw could allow the hackers to trick the tool into accepting an old vulnerable version and taking total control of the victim's machine.

Advertisement

There was also a third vulnerability which Wardle found and discussed on stage last week. He said after patching the first two flaws, where Zoom now conducts its signature check securely and plugged the downgrade attack opportunity, there was still a third opportunity for hackers to exploit a loophole. He noticed that there is a moment after the signature verification and before the package is being installed on the system when attackers could inject their own malicious software into the Zoom update.

This malicious software can retain all the privileges and checks needed to install the update. An attacker could force the Zoom app user to reinstall the update in order to get multiple opportunities to insert a malicious patch and gain root access to the victim's device — just like Wardle did. However, the security researcher says that to exploit any of these flaws, a hacker should have some access to the victim's machine. Moreover, Zoom has also plugged the third flaw.


What should you make of Realme's three new offerings? We discuss them on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Zoom, Cybersecurity, Apple, Mac
Advertisement

Related Stories

Popular Mobile Brands
  1. Amazon Prime Day Sale: Early Deals on Smartphones From Top Brands Revealed
  2. OTT Releases This Week: Elle, Super Subbu, Enola Holmes 3, and More
  3. CMF's Himanshu Tandon Departs Firm After a 10-Month Stint
  4. Here's Our First Look of the Nothing Phone 4b 'RCB Edition' Variant
  1. PS Plus Monthly Games for July Include Call of Duty: Modern Warfare 3, For the King 2 and CrossCode
  2. Nothing Phone 4b RCB Edition Design, Colour Revealed Days Ahead of Debut
  3. Garmin Forerunner 70, Forerunner 170, Forerunner 170 Music Launched in India With 1.2-Inch Display, Up to 13 Days Battery Life
  4. Redmi Note 17 Series Launch Timeline Teased, Company Touts Display Upgrades and Longer Battery Life
  5. Lava Probuds T51, Xscape 13° Neckband With Up to 70 Hours Battery Life Launched in India: Price, Features
  6. Best Noise Cancellation Headphones in India to Buy This Amazon Prime Day: boAt Rockerz 650 Pro, JBL Tune 520 BT and More
  7. Oppo Enco Air 5 With Up to 52dB ANC, Up to 54 Hours Battery Launched in India: Price, Features
  8. Apple Reportedly Cuts iPhone 17 Series Production Plans by 15 Percent as Demand Softens
  9. Moto G77 Power Set to Launch in India Next Week; Price Range, Specifications Revealed
  10. CMF's Himanshu Tandon Announces Exit Weeks After Firm Confirms 2026 Phone Strategy
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.