Zoom Exploit on MacOS
This exploit works by targeting the Zoom application installer, which must be run with special user permissions to install or uninstall the main Zoom application on the computer.
2024-01-18
'%3e%3cpath%20d='M25.1219%206.1263C25.1397%206.38418%2025.1397%206.64212%2025.1397%206.9C25.1397%2014.7658%2019.3656%2023.8289%208.81221%2023.8289C5.56092%2023.8289%202.54063%2022.8526%200%2021.1579C0.461947%2021.2132%200.906066%2021.2316%201.38579%2021.2316C4.06849%2021.2316%206.53808%2020.2921%208.51017%2018.6895C5.98732%2018.6342%203.87309%2016.9211%203.14465%2014.5632C3.50001%2014.6184%203.85532%2014.6552%204.22845%2014.6552C4.74367%2014.6552%205.25893%2014.5815%205.7386%2014.4526C3.10916%2013.9%201.13701%2011.5053%201.13701%208.61315V8.53949C1.90095%208.9816%202.78935%209.25791%203.73091%209.29471C2.18521%208.22627%201.17256%206.40261%201.17256%204.33943C1.17256%203.23419%201.45677%202.22103%201.95427%201.33681C4.77916%204.94734%209.02539%207.30519%2013.7868%207.56313C13.698%207.12102%2013.6446%206.66054%2013.6446%206.20001C13.6446%202.92102%2016.203%200.25%2019.3832%200.25C21.0355%200.25%2022.5279%200.968419%2023.5761%202.12895C24.8731%201.87106%2026.1167%201.37367%2027.2183%200.692109C26.7918%202.07372%2025.8858%203.23425%2024.6954%203.97104C25.8503%203.84215%2026.9696%203.5105%2028%203.05002C27.2184%204.22892%2026.2412%205.27888%2025.1219%206.1263Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24586'%3e%3crect%20width='28'%20height='25.0526'%20fill='%230671C0'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
This vulnerability was reported in Zoom last December: This exploit works by targeting the Zoom application installer, which must be run with special user permissions to install or uninstall the main Zoom application on the computer. Although the setup program required the user to enter his password when he first added the application to the system, Wardle found that the automatic update feature was then constantly running in the background with superuser rights.
When Zoom releases an update, the update feature installs the new package after verifying that it has been cryptographically signed by Zoom. However, the validation method is applied to how an error for the test to pass, an attacker can change any malicious software and the Upgrade Program, which allows him to run the upgrade program with an upgraded Zoom to get a file with the same name as the signing certificate that was meant to give enough. It seems that it is not completely solved: After a responsible disclosure of the protocols, Wardle reported the vulnerability to Zoom last December.
SHARE ON