• Home
  • News
  • Business
  • Gear
  • Reviews
  • Games
  • Science
  • Security
Reading: Zoom’s Auto-Update Feature Came With Hidden Risks on Mac
Share
Ad image
Technology MagazineTechnology Magazine
Aa
  • News
  • Business
  • Gear
  • Reviews
  • Games
  • Science
  • Security
Search
  • Home
  • News
  • Business
  • Gear
  • Reviews
  • Games
  • Science
  • Security
Have an existing account? Sign In
Follow US
Technology Magazine > Security > Zoom’s Auto-Update Feature Came With Hidden Risks on Mac
Security

Zoom’s Auto-Update Feature Came With Hidden Risks on Mac

Press room
Press room Published August 12, 2022
Last updated: 2022/08/12 at 9:00 PM
Share
SHARE

Many of us have been there: You fire up the Zoom app as you rush to join a meeting you’re already late for, and you’re hit with a prompt to download updates. If something like this has happened to you, you’re enrolled in Zoom’s automatic update feature. 

Launched in its current form in November 2021 for Zoom’s Windows and Mac desktop apps, the feature aims to help users keep up with software patches. You enter your system password when you initially set up the feature, granting Zoom permission to install patches, then you never have to enter it again. Easy. But after noticing the feature, longtime Mac security researcher Patrick Wardle wondered whether it was a little too easy.

At the DefCon security conference in Las Vegas today, Wardle presented two vulnerabilities he found in the automatic update feature’s validation checks for the updates. For an attacker who already had access to a target Mac, the vulnerabilities could have been chained and exploited to grant the attacker total control of a victim’s machine. Zoom has already released fixes for both vulnerabilities, but onstage on Friday, Wardle announced the discovery of an additional vulnerability, one he hasn’t yet disclosed to Zoom, that reopens the attack vector.

“I was curious about exactly how they were setting this up. And when I took a look, it seemed on first pass that they were doing things securely—they had the right ideas,” Wardle told WIRED ahead of his talk. “But when I looked closer, the quality of the code was more suspect, and it appeared that no one was auditing it deeply enough.”

To automatically install updates after the user enters their password once, Zoom installs a standard macOS helper tool that Wardle says is widely used in development. The company set up the mechanism so only the Zoom application could talk to the helper. This way, no one else could connect and mess with things. The feature was also set up to run a signature check to confirm the integrity of the updates being delivered, and it specifically checked that the software was a new version of Zoom, so hackers couldn’t launch a “downgrade attack” by tricking the app into installing an old and vulnerable version of Zoom.

The first vulnerability Wardle found, though, was in the cryptographic signature check. (It’s a sort of wax-seal check to confirm the integrity and provenance of software.) Wardle knew from past research and his own software development that it can be difficult to truly validate signatures in the types of conditions Zoom had set up. Ultimately, he realized that Zoom’s check could be defeated. Imagine that you carefully sign a legal document and then put the piece of paper facedown on a table next to a birthday card that you signed more casually for your sister. Zoom’s signature check was essentially looking at everything on the table and accepting the random birthday card signature instead of actually checking whether the signature was in the right place on the right document. In other words, Wardle found that he could change the name of the software he was trying to sneak through to contain the markers Zoom was broadly looking for and get the malicious package past Zoom’s signature check.

Press room August 12, 2022
Share this Article
Facebook TwitterEmail Print
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

You Might Also Like

Security

They Posted Porn on Twitter. German Authorities Called the Cops

4 Min Read
Security

The Uniquely American Future of US Authoritarianism

5 Min Read
Security

India Shut Down Cell Service for 27 Million During a Manhunt

6 Min Read
Security

The TikTok Hearing Revealed That Congress Is the Problem

4 Min Read
  • Review
  • Top Lists
  • Contact
  • Privacy Policy
  • Terms of use

We influence 20 million users and is the number one business and technology news network on the planet.

I have read and agree to the terms & conditions

Contact US

  • Contact Us
  • DMCA
  • Editorial Policy
  • Advertise

Quick Link

  • Gear
  • Games
  • Security
  • Reviews

© 2022 Technology Magazine. All Rights Reserved.

Follow US on Socials

Removed from reading list

Undo
Welcome Back!

Sign in to your account

Lost your password?