Wardle discovered that attackers could bypass the signature check by naming their malware file a certain way. And once in, they could gain root access and control the victim’s Mac. The Verge says Wardle disclosed the bug to Zoom in December 2021, but the patch released contained another bug. This second vulnerability could have given attackers a way to bypass the Zoom protector set to make sure an update provides the latest version of the app. Wardle reportedly found that it is possible to trick a tool that facilitates the distribution of Zoom updates into accepting an older version of the video conferencing software. Zoom has already patched that flaw as well, but Wardle found another vulnerability, which he also presented at the conference. He discovered that there is a point in time between the automatic installer verifying a software package and the actual installation process that allows an attacker to inject malicious code into the update. A download intended for installation can apparently retain its original read-write permissions allowing any user to modify it. This means that even users without root access could change its content with malicious code and gain control of the target computer. The company told The Verge that it is now working on a patch for the new vulnerability revealed by Wardle. As Wired notes, however, attackers must have access to a user’s device in order to exploit these flaws. Even though there’s no immediate danger to most people, Zoom advises users to “stay up to date with the latest version” of the app whenever one comes out.
