Skip to main content

Zoom rolls out fix for vulnerability that can give anyone control of your Mac

Avatar for Chance Miller  | Aug 15 2022 - 10:00 am PT
0 Comments
Zoom Mac security update

If you’re a Zoom user with a Mac, there’s a critical security fix rolling out now that you should install immediately. The Zoom for Mac update addresses a major security vulnerability that could have allowed anyone to gain root access to your computer.

As reported by ArsTechnica, the vulnerability was first discovered by well-known security researcher Patrick Wardle. Wardle detailed the vulnerability at Def Con last week, explaining that Zoom’s auto-update feature doesn’t ask for a user password and is enabled by default.

What this means is that malicious actors could bypass the verification checker and either downgrade to an old, less secure version of Zoom or pass an entirely different package to the updater. The report explains:

It seemed secure, as only Zoom clients could connect to the privileged daemon, and only packages signed by Zoom could be extracted. The problem is that by simply passing the verification checker the name of the package it was looking for (“Zoom Video ... Certification Authority Apple Root CA.pkg“), this check could be bypassed. That meant malicious actors could force Zoom to downgrade to a buggier, less-secure version or even pass it an entirely different package that could give them root access to the system.

Zoom issued a security bulletin after Wardle detailed the vulnerability. The company said that the vulnerability in the auto-update process could allow a “local low-privileged user” to “escalate their privileges to root.” The affected versions of Zoom are the following:

  • Zoom Client for Meetings for macOS (Standard and for IT Admin) starting version 5.7.3 and before version 5.11.5

Zoom quickly then rolled out an update to its Mac app to patch the vulnerability. You can update your Zoom app on your Mac to version 5.11.5 (9788) to protect yourself.

This is only the latest example of Zoom’s oftentimes lackluster security practices. The company was forced to address a major vulnerability in 2019 that allowed websites to hijack your Mac’s webcams. It rolled out an update earlier this year to prevent your Mac’s microphone from staying active even after you left a call. And of course, it lied about offering end-to-end encryption for years.

Add 9to5Mac to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Mac on YouTube for more Apple news:

Comments

Guides

zoom

zoom

Author

Avatar for Chance Miller Chance Miller

Chance is an editor for the entire 9to5 network and covers the latest Apple news for 9to5Mac.

Tips, questions, typos to chance@9to5mac.com