The vulnerability, named CVE-2022-28756, was found in Zoom for macOS versions 5.7.3 through 5.11.3 and potentially allowed an attacker to gain access to and take over an Apple Inc. computer. through Zoom’s package installer. The vulnerability has a Common Vulnerability and Exposure Score of 8.8, with all Mac Zoom users advised to update to the latest version of Zoom, 5.11.5, as soon as possible. The exploit lies in how the auto-update client in Zoom connects to a privileged daemon or background service. In a rather odd two-step process, someone looking to target a Zoom Mac user could bypass the verification check in Zoom by tricking the update manager into forcing Zoom to downgrade to an older, more easily exploitable version of Zoom, or even forcing it to download a completely different package. Having exploited the first stage, the most vulnerable version of Zoom, or a different package, would allow the attacker to gain root access to the victim’s Mac. “Zoom Client for Meetings for macOS (Standard and for IT Admin)… contains a vulnerability in the automatic update process,” Zoom said in a security bulletin. “A local user with low privileges could exploit this vulnerability to escalate their privileges to root.” Vulnerabilities in the software are nothing new, and Zoom has had its share in the past, particularly when the software went from a semi-obscure offering to a verb for video conferencing as remote work became the norm during the COVID-19 pandemic. Where this vulnerability exposure becomes particularly interesting is that it was exposed before Zoom released a proper patch for it. Typically, when security researchers or so-called “white hat hackers” discover a vulnerability, they contact the company behind the faulty software to allow them to fix the issue before details about the vulnerability are made public. Zoom was made aware of the vulnerability seven months before Wardle made the details public and had multiple opportunities to properly patch it, but did not. Cheers to everyone who came to my @defcon talk “You’re M̶u̶t̶e̶d̶ Rooted” 🙏🏽 I was excited to talk about (and live demo 😅) a local priv-esc vulnerability in Zoom (for macOS).
Currently there is no patch 👀😱 Slides with full details & PoC exploit: #0day pic.twitter.com/9dW7DdUm7P — patrick wardle (@patrickwardle) August 12, 2022 According to Wardle, as reported by Sophos plc’s Naked Security, shortly before DEF CON, Zoom said it had fixed the vulnerability. However, “after applying the patch, he noticed that there was still a gap in the update process.” The subsequent fix of the flawed fix followed Wardle’s presentation at DEF CON. Wardle is well-known in the security community and at all stages he did the right thing by not only informing Zoom but also trying to help it fix the problem. That it took Zoom seven months to address a known vulnerability and then release a flawed update doesn’t reflect well on it. Image: Zoom