Zoom patches critical vulnerability again after prior fix was bypassed

A critical vulnerability in Zoom for MacOS, patched once last weekend, could still be bypassed as of Wednesday. Users should update again.
Enlarge / A critical vulnerability in Zoom for MacOS, patched once last weekend, could still be bypassed as of Wednesday. Users should update again.
Getty Images

It’s time for Zoom users on Mac to update—again.

After Zoom patched a vulnerability in its Mac auto-update utility that could give malicious actors root access earlier this week, the video conferencing software company issued another patch Wednesday, noting that the prior fix could be bypassed.

Zoom users on macOS should download and run version 5.11.6 (9890), released August 17. You can also check Zoom’s menu bar for updates. Waiting for an automatic update could leave you waiting days while this exploit is publicly known.

Zoom’s incomplete fix was reported by macOS security researcher Csaba Fitzl, aka theevilbit of Offensive Security. Zoom credited Fitzl in its security bulletin (ZSB-22019) and issued a patch the day before Fitzl tweeted about it.

Neither Fitzl nor Zoom detailed how Fitzl was able to bypass the fix for the vulnerability first discovered by Patrick Wardle, founder of the Objective-See Foundation. Wardle spoke at Def Con last week about how Zoom’s auto-update utility held onto its privileged status to install Zoom packages but could be tricked into verifying other packages. That meant malicious actors could use it to downgrade Zoom for better exploit access or even to gain root access to the system.

Source

Leave a Reply

Your email address will not be published. Required fields are marked *