You Should Probably Update Zoom on Your Mac

Zoom has fixed a bug that could’ve allowed unrestricted access to macOS systems.

According to an Aug. 13 security bulletin(Opens in a new window), Zoom versions 5.7.3 to 5.11.5 contain an auto-update vulnerability that could be exploited by a local low-privileged user to gain unrestricted access to Apple’s operating system. The weakness, revealed by Mac security specialist Patrick Wardle at last week’s DefCon, was patched in Zoom version 5.11.5, which is available now.

The exploit targets the Zoom installer, which requires a user password when first added, The Verge notes(Opens in a new window). Wardle, however, found that an auto-update function running continuously in the background could be tricked into embedding malware by using Zoom’s cryptographic signature. Once inside the system, a hacker can modify, delete, or add files to the device.

“I was curious about exactly how they were setting this up,” Wardle told Wired(Opens in a new window) before his DefCon talk. “And when I took a look, it seemed on first pass that they were doing things securely—they had the right ideas. But when I looked closer, the quality of the code was more suspect, and it appeared that no one was auditing it deeply enough.”

On Twitter, Wardle praised(Opens in a new window) Zoom for its “incredibly quick fix.” In evaluating the patch, Wardle says the “Zoom installer now invokes lchown to update the permissions to the update .pkg, thus preventing malicious subversion.”

To install the 5.11.5 update on your Mac, sign in to the Zoom desktop client, tap your profile picture, and select Check for updates. If there is a newer version, Zoom will download and install it.

At the other big security conference last week, Black Hat, another security researcher demonstrated how he used Zoom’s technology underlying other applications to completely control a target’s computer. Patches have also been issued for that vulnerability.