Many of us was there: You fire up the Zoom app when you’re in a hurry to join a meeting where you’re late, and you get a prompt to download updates. If something similar happens to you, you’ve signed up for Zoom’s automatic updates feature.
Debut In its current form in November 2021 for Zoom’s Windows and Mac desktop apps, the feature is intended to keep users up to date with software patches. You enter your system password when you initially set up the feature, grant Zoom permission to install patches, then you never have to enter it again. Easy. But after noticing the feature, longtime Mac security researcher Patrick Wardle wondered if it was a bit too easy.
At the DefCon security conference in Las Vegas today, Wardle presented two vulnerabilities he found in the auto-update feature’s validation checks for updates. For an attacker who already has access to the target Mac, the vulnerabilities could have been chained and exploited to give the attacker full control over the victim’s machine. Zoom has been released fixes for both vulnerabilities, but on stage on Friday, Wardle announced the discovery of an additional vulnerability, one he has not disclosed to Zoom, that would reopen the attack vector.
“I’m curious about exactly how they set this up. And when I looked at it, at first it seemed like they were doing everything safely — they had the right ideas,” Wardle told WIRED before his talk. “But when I take a closer look, the quality of the code is more questionable, and it doesn’t seem like anyone has examined it deeply enough.”
To automatically install updates after a user enters their password once, Zoom installs a standard macOS helper that Wardle says is being used extensively during development. The company has set up a mechanism so that only the Zoom app can talk to helpers. This way no one else can connect and mess with everything. This feature is also set up to run signature checks to confirm the integrity of updates being delivered and specifically to check if the software is a new version of Zoom, so trust us. Hackers cannot perform a “downgrade attack” by tricking the application into installing an old and vulnerable version of Zoom.
However, the first vulnerability Wardle found was in cryptographic signature testing. (It’s a type of wax-seal check to confirm the integrity and provenance of the software.) From previous research and one’s own software development, it can be difficult to verify signatures in documents. the type of condition that Zoom has set. Eventually, he realized that Zoom’s check could be beaten. Imagine you carefully signed a legal document and then placed the piece of paper face down on the table next to a birthday card you signed more casually for your sister. Zoom’s signature check is basically looking at everything on the table and accepting random signatures on birthday cards instead of actually checking if the signature is in the right place on the right document. In other words, Wardle found that he was able to change the name of the software he was trying to break into to contain the markers that Zoom was searching extensively and obtaining the malware package after examining it. check Zoom’s signature.
