Zoom patches Mac auto-updater vulnerability that granted root access - Ars Technica

The video conferencing software's latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers, granting escalated privileges and control of the system.

The problem is that by simply passing the verification checker the name of the package it was looking for ("Zoom Video ... Certification Authority Apple Root CA.pkg"), this check could be bypassed.

That meant malicious actors could force Zoom to downgrade to a buggier, less-secure version or even pass it an entirely different package that could give them root access to the system.

Wardle disclosed his findings to Zoom before his talk, and some aspects of the vulnerability were addressed, but key root access was still available as of Wardle's talk on Saturday.

Zoom issued a security bulletin later that same day, and a patch for version Zoom 5.11.5 (9788) followed soon after.

Prior to that, Zoom was caught running an entire undocumented web server on Macs, causing Apple to issue its own silent update to kill the server.

Ars' Dan Goodin noted that his Zoom client didn't actually update when the fix for that issue arrived, requiring a manual download of an intermediate version first.