Zoom users with Macs can rest a little easier. Ars Technica reports Zoom has updated its Mac software to patch a vulnerability that let would-be intruders take control of systems. The video calling software’s auto-updater software not only had root-level access, but had a signature verification system that you could fool simply by giving your package a familiar file name. A hacker could force your app to downgrade or otherwise enable exploits.
Objective-See Foundation (OSF) creator and researcher Patrick Wardle first discovered the security hole, and disclosed it to Zoom in December last year. Zoom fixed that problem, but introduced another bug in the process. Zoom addressed that, too, but Wardle found still another flaw. The OSF founder discussed his findings at Def-Con last week. Zoom acknowledged the issue that day, and patched it afterward.
This isn’t the first time Zoom has grappled with security headaches, including for the Mac. In 2019, the company raced to fix a webcam hijack exploit that relied on a locally-created web server. Increased scrutiny of Zoom at the start of the COVID-19 pandemic in spring 2020 also prompted a full-scale review of the company’s practices. While that did lead to changes, it’s clear Zoom isn’t immune to missteps.