The patch will eventually roll out automatically, but users can and should install it as soon as they open the app by clicking on Zoom.us in the menu bar at the top left of the screen and then selecting “check for updates.” Discovered by independent security researcher Patrick Wordle – whose brother Jeremy invented the popular game Wordle – the vulnerability was first presented at the Def Con hacking conference in Las Vegas last week. Alex Hern’s weekly dive into how technology is shaping our lives Privacy Notice: Newsletters may contain information about charities, online advertising and content sponsored by external parties. For more information, see our Privacy Policy. We use Google reCaptcha to protect our website and Google’s Privacy Policy and Terms of Service apply. It targets the Zoom installer, which the company uses to enable frictionless automatic updates. To simplify the user journey, the installer continues to run in the background from the time a user first installs Zoom, and does so with “superuser” privileges, allowing them to change anything about the computer. Normally, the company tries to make sure it’s secure by restricting the installer to only run on code that’s been cryptographically signed by Zoom, but the bug discovered by Wardle means an attacker could easily bypass that protection and convince the installer to load and run whatever malware they want. This isn’t the first time Zoom’s focus on frictionless usage has led to a security loophole. In April 2020, when pandemic remote work led to a 500% increase in daily traffic to Zoom’s download page, some critics said the company’s software was a “privacy destroyer” and even malware. The company’s desire to be the easiest way to participate in video calls led it to try to bypass the security measures that protect a user’s computer. In 2019 Zoom is known to have installed a hidden web server on users’ devices to try to enable one-click call connection, while in 2020 a bug was discovered that allowed attackers to turn a Mac into a remote spying device. Zoom also claimed it used end-to-end encryption to protect calls, before admitting it did not.
