Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Update Zoom For Mac Now To Avoid Root-Access Vulnerability (arstechnica.com) 24

If you're using Zoom on a Mac, it's time for a manual update. The video conferencing software's latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers, granting escalated privileges and control of the system. From a report: The vulnerability was first discovered by Patrick Wardle, founder of the Objective-See Foundation, a nonprofit Mac OS security group. Wardle detailed in a talk at Def Con last week how Zoom's installer asks for a user password when installing or uninstalling, but its auto-update function, enabled by default, doesn't need one. Wardle found that Zoom's updater is owned by and runs as the root user. It seemed secure, as only Zoom clients could connect to the privileged daemon, and only packages signed by Zoom could be extracted. The problem is that by simply passing the verification checker the name of the package it was looking for ("Zoom Video ... Certification Authority Apple Root CA.pkg"), this check could be bypassed. That meant malicious actors could force Zoom to downgrade to a buggier, less-secure version or even pass it an entirely different package that could give them root access to the system.
This discussion has been archived. No new comments can be posted.

Update Zoom For Mac Now To Avoid Root-Access Vulnerability

Comments Filter:
  • this seems the real problem...

    • by nightflameauto ( 6607976 ) on Monday August 15, 2022 @04:49PM (#62792103)

      Everybody seems to want to do this now and it drives us IT nerds nuts. Multi-user OSes with admin rights have been around for how long now? And we want to just give software packages admin rights because reasons? WTF?

      We've got CAD software in the office that's insisting the user MUST have full admin rights to even run the software. Why? What does that software need admin rights for? Admin rights to a directory for temp writing? Sure, whatever. But full admin rights just to start up? What kinda garbage are they trying to pull?

      • There's a way to fix your problem: Adjust the application manifest. Export the manifest, edit the .manifest XML file, change "requireAdministrator" to "asInvoker", reimport the manifest, delete any code signing certificates in the executable, and fix up the executable checksum. There are a number of very good command-line tools out there that can safely modify files in the PE file format (e.g. Microsoft Visual Studio has a few useful tools). It's entirely likely that the CAD software will function just

      • by kriston ( 7886 )

        CAD software in the office that's insisting the user MUST have full admin rights to even run the software

        In the olden days that was because it needed to access a hardware copy-protection dongle or some other weird software copy-protection scheme that also required admin access. No other reason I can recall.

      • We've got CAD software in the office that's insisting the user MUST have full admin rights to even run the software. Why? What does that software need admin rights for?

        It probably has to do with self-updating, which is functionality which shouldn't even exist — the OS should be handling invoking updates, and no one else. Real operating systems have a facility built into them for handling this sort of thing, and real developers utilize it.

        On Windows it's common to have to have Admin rights for games because they self-update, and they need those rights to be able to silently install runtime packages. So instead of being prompted only when an update happens, they want

        • It probably has to do with self-updating, which is functionality which shouldn't even exist — the OS should be handling invoking updates, and no one else. Real operating systems have a facility built into them for handling this sort of thing, and real developers utilize it.

          macOS, the operating system named in the featured article, has such a facility called the Mac App Store. However:

          1. Apple charges developers a fee for using the Mac App Store to distribute updates. The widely cited figure is 99 USD per year plus 30 percent of related revenue.
          2. Apple puts all updates distributed through the Mac App Store through a review process that can delay release of said updates by days or weeks.
          3. macOS runs all applications whose updates are distributed through the Mac App Store in a

          • Yeah, I don't dick with Apple because of their proprietary attitude towards the hardware, for the same reason that I use Windows only for gaming and do everything real in Linux. Linux may have shitty package management (RPM is hell, while apt is missing basic features that even SunOS4 had like repairing permissions) but at least it exists, and anyone* can make their own repo.

            * Unless you're talking about snap, but fuck snap

          • This is all true, but I'd like to point out that apps don't have to be installed via the App Store. Plenty of apps can be installed and updated external to the App Store, if developers want.
            • by tepples ( 727027 )

              The context was ability of the operating system to perform the updates. Through what mechanism does macOS support this? Or does each off-Store application have to run its own updates?

    • Be happy that apps need elevated permissions in order to share your screen.

  • by Tramtrist ( 6973032 ) on Monday August 15, 2022 @06:05PM (#62792287)
    Zoom has always been a security dumpster fire. Remember when Zoom got caught installing a hidden webserver on Macs, that persisted even after Zoom was uninstalled? https://www.zdnet.com/article/... [zdnet.com]
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Zoom has always been a security dumpster fire.
      Remember when Zoom got caught installing a hidden webserver on Macs, that persisted even after Zoom was uninstalled? https://www.zdnet.com/article/... [zdnet.com]

      Exactly. This article's title should have been "Update Zoom To Avoid Latest Root-Access Vulnerability"

      In the hidden privileged web server case (that persisted even if you removed the Zoom application), Apple actually started removing it after Zoom refused: https://www.theregister.com/20... [theregister.com]

    • As the foremost expert on Dumpster Fires [76.205.135.31], I can assure you they'd take offense at being compared to Zoom. After all, they only ruin one business at a time...

  • Tell me again how a userspace application needs root permissions on ANY platform.

    • by tepples ( 727027 )

      For updating.

      When a userspace application's installer detects that the application's publisher has released a new version of the application, the application downloads the new version. It then needs administrative privileges to replace the system-wide installed copy of the application. Using the operating system's update service instead has drawbacks that I mentioned in another comment [slashdot.org].

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...