The vulnerability, discovered by Patrick Wardle of the Objective-See Foundation, involves Zoom’s automatic update, which runs as the root user and does not require a user password. When the updater runs, it checks to see if the software updates are signed by Zoom, but Wardle discovered that it only checked if the file has the same name as the signing certificate. A hacker could then use a different package with the same name as the certificate to gain access to the Mac. Wardle presented his findings at the DefCon event last week, and his presentation is available to view online. Zoom responded by releasing update 5.11.5 (9788), which fixes the flaw, but is actually the second attempt at a fix. In December, Wardle told Zoom about the vulnerability, and the company issued a patch, but the patch had a bug that allowed the vulnerability to still be effective. Zoom has a checkered security record. In the past, it had issues with unauthorized access to the microphone, lack of encryption, and unauthorized users intruding into meetings. Zoom has fixed these issues with updates.
How to update Zoom
Zoom may update automatically when you launch the app, but it may not install the latest version (this happened to me), which is 5.11.5 (9788). To check the version, start Zoom and click zoom.us > About Zoom. If you don’t have the latest version, you’ll need to update it manually. Here’s how.
Time to complete: 5 minutes Required tools: internet connection Materials Required: Zoom Mac App
1.
Manually check for updates
Foundry Click on the zoom.us menu and select Check for Updates. 2.
Install the update
Foundry Zoom will see what updates are available. You should see update 5.11.5 (9788) and you can read the release notes. Click Install to proceed. 3.
Restarts the zoom
Foundry A progress window will appear during the installation, which will take a few minutes depending on your internet connection. Zoom will restart and you should see a notification saying that you have installed the latest version. You can now use Zoom as usual.
