AdminZoom patched a major security hole that could have allowed hackers to hijack a macOS device running video conferencing software.
The move came after Mac security specialist Patrick Wardle demonstrated how a cybercriminal can abuse the way macOS handles software patches to trigger privilege escalation and essentially hijack the device.
He initially said that the vulnerability exploited many of the flaws and that the company addressed most of them. One, however, remained, and this was patched at a later date to finally fully alleviate the problem.
Updater cheating
The problem is with the way macOS handles updates. The first time a user tries to install an application or program on an endpoint, they must run it with special user permissions, often granted by a password. After this time, automatic updates will run indefinitely with superuser privileges.
In the case of Zoom, the updater will first check if the company has cryptographically signed the new package and, if so, proceeds with the update. However, if the updater receives a file with the same name as the Zoom signing certificate, it will run it. In other words, an attacker could slip into any malware through the updater, even if it meant giving the third party full access to the device.
The error was later identified as CVE-2022-28756 and has been fixed in macOS Zoom 5.11.5, which is now available for download.
While Wardle initially described the bug as being relatively easy to fix, even he was surprised at the speed with which Zoom solved the problem: “Mahalos is Zoom for a (incredibly) quick fix!” Wardle then tweeted. “By reversing the patch, we can see that the Zoom installer now calls lchown to update the .pkg update permissions, thus preventing a malicious subversion.”
By: Borderland (opens in a new tab)
