Update Zoom for Mac now to avoid root-access vulnerability
August 16, 2022 8:04 AM Subscribe
A critical vulnerability in Zoom for Mac OS allowed unauthorized users to downgrade Zoom or even gain root access. It has been fixed, and users should update now. If you're using Zoom on a Mac, it's time for a manual update. The video conferencing software's latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers, granting escalated privileges and control of the system.
Zoom's software security record is spotty—and at times, downright scary. The company settled with the FTC in 2020 after admitting that it lied for years about offering end-to-end encryption. Wardle previously revealed a Zoom vulnerability that let attackers steal Windows credentials by sending a string of text. Prior to that, Zoom was caught running an entire undocumented web server on Macs, causing Apple to issue its own silent update to kill the server.
Zoom's software security record is spotty—and at times, downright scary. The company settled with the FTC in 2020 after admitting that it lied for years about offering end-to-end encryption. Wardle previously revealed a Zoom vulnerability that let attackers steal Windows credentials by sending a string of text. Prior to that, Zoom was caught running an entire undocumented web server on Macs, causing Apple to issue its own silent update to kill the server.
This is a local exploit only - someone with local access to the machine can elevate their user privileges. Without a secondary way of remotely executing code on your machine, it’s not going to result in Random Internet Malefactor taking over your machine next time you log into Zoom. You should still update immediately, because maybe there’s some other vulnerability you don’t know about that could allow remote code execution.
posted by zamboni at 8:41 AM on August 16, 2022
posted by zamboni at 8:41 AM on August 16, 2022
This is a local exploit only - someone with local access to the machine can elevate their user privilegesMostly I expect this to be a source of pain for school administrators with all of the kids whose districts opted for full laptops instead of iPads or ChromeOS devices.
posted by adamsc at 9:35 AM on August 16, 2022 [1 favorite]
I just went to update Zoom. It autoupdated on launch, so I thought I might be good, but it did not update with the newest version. If you want to make sure you've got the latest version that plugs this security hole, make sure you use the "Check for updates" command from the Zoom menu.
posted by mollweide at 9:51 AM on August 16, 2022 [1 favorite]
posted by mollweide at 9:51 AM on August 16, 2022 [1 favorite]
Zoom's installer asks for a user password when installing or uninstalling, but its auto-update function, enabled by default, doesn't need one. Wardle found that Zoom's updater is owned by and runs as the root user.
It's not that I'm angry at them for writing shitty software (though I'm also angry at them for that), it's that they've been doing this kind of thing for years and their constant doddering incompetence/malevolence (hard to say which is, at this point) hasn't been enough to drive them out of business. I don't use Zoom for anything in my normal day, but plenty of people at other companies do, and that means I'm at risk because I have to run their incredible POS client on my own machine if I want to be part of any meetings.
Stuff like this isn't easy, per se, but it's not like it's a whole uncharted world for devs. People have been bundling software and including autoupdate for decades. It's largely a solved problem. Creating your own solution, absent some kind of overwhelming reason for it, is dumb. Continuing to use your homegrown, buggy-ass installer/updater, after it's been shown repeatedly to be a constant source of security threats, is irresponsible bordering on reckless. It's so appalling that it makes the rest of us look bad. There are no licensing bodies for software engineers. This is the kind of shit that makes functioning governments start oversight committees.
posted by Mayor West at 10:07 AM on August 16, 2022 [4 favorites]
It's not that I'm angry at them for writing shitty software (though I'm also angry at them for that), it's that they've been doing this kind of thing for years and their constant doddering incompetence/malevolence (hard to say which is, at this point) hasn't been enough to drive them out of business. I don't use Zoom for anything in my normal day, but plenty of people at other companies do, and that means I'm at risk because I have to run their incredible POS client on my own machine if I want to be part of any meetings.
Stuff like this isn't easy, per se, but it's not like it's a whole uncharted world for devs. People have been bundling software and including autoupdate for decades. It's largely a solved problem. Creating your own solution, absent some kind of overwhelming reason for it, is dumb. Continuing to use your homegrown, buggy-ass installer/updater, after it's been shown repeatedly to be a constant source of security threats, is irresponsible bordering on reckless. It's so appalling that it makes the rest of us look bad. There are no licensing bodies for software engineers. This is the kind of shit that makes functioning governments start oversight committees.
posted by Mayor West at 10:07 AM on August 16, 2022 [4 favorites]
Do I even need to have the actual Zoom application anymore? Some other videoconferencing apps have migrated all their functionality into the browser, without any other software required.
posted by meowzilla at 10:14 AM on August 16, 2022
posted by meowzilla at 10:14 AM on August 16, 2022
Meowzilla - re: do you need the app version? it depends! You only NEED the app version if you try the web version and it doesn't work for your use case, on your hardware, with your particular corporate (or personal) settings in place, using whatever browser you're using, etc. The app might offer features the web version can't do - screen sharing or remote control, etc. But not everyone needs those. Also, you might still "want" the app - sometimes, it's faster to start up the app once, for multiple calls, rather than redownload the web version every time you start call.
posted by mrgoldenbrown at 10:48 AM on August 16, 2022
posted by mrgoldenbrown at 10:48 AM on August 16, 2022
Also, the appapp can make you prettier. I don't know if the web app can do that as well.
posted by signal at 1:23 PM on August 16, 2022
posted by signal at 1:23 PM on August 16, 2022
Zoom is such an interesting case study. It's a crowded market segment, with big players like Google and Microsoft, and Zoom has managed to grab a huge chunk of it. Their security track record is terrible, their software is objectively bad - doing things like setting up local webservers open to the world. Their UI / UX is not good. But they do their one thing pretty well, and were in the right place at the right time.
posted by Nothing at 4:49 AM on August 17, 2022 [2 favorites]
posted by Nothing at 4:49 AM on August 17, 2022 [2 favorites]
Dunno if anyone's still following this, but Zoom screwed up the patch and released another one on Wednesday: Zoom patches critical vulnerability again after prior fix was bypassed
posted by meowzilla at 2:25 PM on August 18, 2022
posted by meowzilla at 2:25 PM on August 18, 2022
While you're in the mood to update software: Apple releases iOS, iPadOS and macOS security fixes for two zero-days under active attack
posted by gwint at 8:34 PM on August 18, 2022
posted by gwint at 8:34 PM on August 18, 2022
« Older Our love is great. No love can match it. | “Period pain isn’t normal”: People test a period... Newer »
This thread has been archived and is closed to new comments
posted by gwint at 8:14 AM on August 16, 2022 [1 favorite]