![]() Most famously, in March 2020, Zoom wrongly claimed meetings between participants were end-to-end encrypted. ![]() This isn't the first time that Zoom has left a lot to be desired when it comes to security. The most recent Zoom update should still be installed in line with the app's security bulletin post. So, along with the research already disclosed to Zoom, Wardle disclosed a new bug – that's reportedly still live – during the Def Con event.Īpparently it's quite easy to fix, Wardle claims, and Zoom is working “diligently” to address the issue, the company said. The web conferencing company did deploy a fix when Wardle shared his findings, but all it did was make the exploit harder to achieve.Ī second attempt to close the vulnerability was successful, but a subsequent “error” left the vulnerability exploitable once more. But Wardle had actually informed Zoom of this bug back in December 2021, and then presented his research eight months later. On the surface, you may think a hacking conference is an odd place to first disclose such a big security flaw in such a popular piece of software. When an update is rolled out by Zoom, the program checks if the new software has been “signed” cryptographically by the company – but an issue with the updater function’s checking rules has meant that any file with Zoom’s signing certificate as its name will be green-lighted for installation.Īccording to Wardle, a hacker could easily deceive the Zoom application via the use of that signing certificate and orchestrate a “privilege escalation attack”, whereby a hacker uses a lower-level account to subsequently gain access to an account with system-level privileges. A superuser is a “root account” on a mac that has access to do whatever it wants to the system. However, after this, it sets the app up to run auto-updates in the background and grants Zoom “superuser” privileges. The installer asks a user to input their password when the application is added to a given system. The vulnerability stems from the installer for Zoom, which requires users to grant the application an all-access pass for updates, in order to run on a Mac. He revealed the existence of the bug to the public at the Def Con hacking conference in Las Vegas last Friday. The issue was discovered by Patrick Wardle of the Objective-See Foundation, a non-profit that creates security tools for devices running macOS. The flaw in Zoom’s system, tracked as CVE-2022-28756, theoretically allows a hacker to gain control of a computer’s entire operating system, post-exploit. ![]() MacOS users with the Zoom client installed have been advised by the company to update their systems as soon as possible. ![]() Since the pandemic, companies across the globe have turned to Zoom to facilitate collaboration in remote working environments, with its 300 million-strong active user base an appealing target for hackers. Users who have not updated their software could still be at risk of having their macs infiltrated via both exploits. Zoom has just patched a macOS bug that allowed hackers to take control of a given device’s operating system through the platform – but another bug remains live, according to the security researcher that discovered it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |