Update Zoom For Mac Now To Avoid Root-Access Vulnerability (arstechnica.com) 24
If you're using Zoom on a Mac, it's time for a manual update. The video conferencing software's latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers, granting escalated privileges and control of the system. From a report: The vulnerability was first discovered by Patrick Wardle, founder of the Objective-See Foundation, a nonprofit Mac OS security group. Wardle detailed in a talk at Def Con last week how Zoom's installer asks for a user password when installing or uninstalling, but its auto-update function, enabled by default, doesn't need one. Wardle found that Zoom's updater is owned by and runs as the root user. It seemed secure, as only Zoom clients could connect to the privileged daemon, and only packages signed by Zoom could be extracted. The problem is that by simply passing the verification checker the name of the package it was looking for ("Zoom Video ... Certification Authority Apple Root CA.pkg"), this check could be bypassed. That meant malicious actors could force Zoom to downgrade to a buggier, less-secure version or even pass it an entirely different package that could give them root access to the system.
elevated installing powers... why? (Score:2)
this seems the real problem...
Re:Convenience... (Score:4, Insightful)
zoom was designed from the ground up without a single thought on security.
Re: Convenience... (Score:4, Interesting)
This is the same company that used the preflight stage of the installer to install software. This is a stage before the EULA, before the user expects anything is being installed.
Preflight is intended to be used for checking compatibility etc. prior to installing software. Their excuse was they wanted to reduce the number of clicks needed. This company has a ghastly approach to security.
Re:elevated installing powers... why? (Score:4, Insightful)
Everybody seems to want to do this now and it drives us IT nerds nuts. Multi-user OSes with admin rights have been around for how long now? And we want to just give software packages admin rights because reasons? WTF?
We've got CAD software in the office that's insisting the user MUST have full admin rights to even run the software. Why? What does that software need admin rights for? Admin rights to a directory for temp writing? Sure, whatever. But full admin rights just to start up? What kinda garbage are they trying to pull?
Re: (Score:2)
There's a way to fix your problem: Adjust the application manifest. Export the manifest, edit the .manifest XML file, change "requireAdministrator" to "asInvoker", reimport the manifest, delete any code signing certificates in the executable, and fix up the executable checksum. There are a number of very good command-line tools out there that can safely modify files in the PE file format (e.g. Microsoft Visual Studio has a few useful tools). It's entirely likely that the CAD software will function just
Re: (Score:2)
When you install software on Windows and write to Program Files as dictated by Microsoft as the place to put program files, the elevated Administrator security token is required. Since most software installs there, the process must have admin rights to write to Program Files.
Whether or not this is "right" or "correct" is irrelevant. It is how it works on Windows.
As to Linux, all package managers on Linux require sudo to install packages. /usr/bin is, by default, root read/write only, thus requiring sudo r
Re: (Score:2)
As to Linux, all package managers on Linux require sudo to install packages. /usr/bin is, by default, root read/write only, thus requiring sudo rights to put anything there. There is no /var/bin or /user/bin on any of my Linux systems.
No they don't.
Perhaps you should improve your linux fu
but this is about installing software for the entire system to use, which requires sudo rights. ...
No it does not
Re: (Score:2)
CAD software in the office that's insisting the user MUST have full admin rights to even run the software
In the olden days that was because it needed to access a hardware copy-protection dongle or some other weird software copy-protection scheme that also required admin access. No other reason I can recall.
Re: (Score:2)
We've got CAD software in the office that's insisting the user MUST have full admin rights to even run the software. Why? What does that software need admin rights for?
It probably has to do with self-updating, which is functionality which shouldn't even exist — the OS should be handling invoking updates, and no one else. Real operating systems have a facility built into them for handling this sort of thing, and real developers utilize it.
On Windows it's common to have to have Admin rights for games because they self-update, and they need those rights to be able to silently install runtime packages. So instead of being prompted only when an update happens, they want
Drawbacks of the Mac App Store (Score:2)
It probably has to do with self-updating, which is functionality which shouldn't even exist — the OS should be handling invoking updates, and no one else. Real operating systems have a facility built into them for handling this sort of thing, and real developers utilize it.
macOS, the operating system named in the featured article, has such a facility called the Mac App Store. However:
1. Apple charges developers a fee for using the Mac App Store to distribute updates. The widely cited figure is 99 USD per year plus 30 percent of related revenue.
2. Apple puts all updates distributed through the Mac App Store through a review process that can delay release of said updates by days or weeks.
3. macOS runs all applications whose updates are distributed through the Mac App Store in a
Re: (Score:2)
Yeah, I don't dick with Apple because of their proprietary attitude towards the hardware, for the same reason that I use Windows only for gaming and do everything real in Linux. Linux may have shitty package management (RPM is hell, while apt is missing basic features that even SunOS4 had like repairing permissions) but at least it exists, and anyone* can make their own repo.
* Unless you're talking about snap, but fuck snap
Re: (Score:2)
Re: (Score:2)
The context was ability of the operating system to perform the updates. Through what mechanism does macOS support this? Or does each off-Store application have to run its own updates?
Re: (Score:2)
Be happy that apps need elevated permissions in order to share your screen.
Zoom has always been a security dumpster fire (Score:3, Informative)
Re: (Score:2, Informative)
Zoom has always been a security dumpster fire.
Remember when Zoom got caught installing a hidden webserver on Macs, that persisted even after Zoom was uninstalled? https://www.zdnet.com/article/... [zdnet.com]
Exactly. This article's title should have been "Update Zoom To Avoid Latest Root-Access Vulnerability"
In the hidden privileged web server case (that persisted even if you removed the Zoom application), Apple actually started removing it after Zoom refused: https://www.theregister.com/20... [theregister.com]
Re: (Score:2)
As the foremost expert on Dumpster Fires [76.205.135.31], I can assure you they'd take offense at being compared to Zoom. After all, they only ruin one business at a time...
Tell me again how a userspace app needs root perms (Score:2)
Tell me again how a userspace application needs root permissions on ANY platform.
Re: (Score:2)
For updating.
When a userspace application's installer detects that the application's publisher has released a new version of the application, the application downloads the new version. It then needs administrative privileges to replace the system-wide installed copy of the application. Using the operating system's update service instead has drawbacks that I mentioned in another comment [slashdot.org].