‘The “S” in Zoom Stands for Security’

Security researcher Patrick Wardle uncovered two security flaws in the Mac version of Zoom today:

Though the new issues we’ll discuss today remain unpatched, they both are local security issues.

As such, to be successfully exploited they required that malware or an attacker already have a foothold on a macOS system.

In other words, these vulnerabilities aren’t catastrophic — they can’t be exploited remotely to give an attacker a foothold on your Mac. But software that’s already running on your Mac can exploit these vulnerabilities to gain root access (via Zoom’s egregiously sloppy installer) or to gain access to your webcam and microphone without prompting a permission alert from the system (presuming, quite reasonably, that the user has already granted camera and microphone access to Zoom itself).

(Zoom’s installer is so sloppy that when it prompts for administrator authentication, the dialog is written in broken English, and claims — falsely — to be the “System”: “System need your privilege to change.” That’s exactly what their installer’s authentication prompt says.

Even their helper tool’s name is misspelled: “zoomAutenticationTool”. Zoom has all the hallmarks of malware and scamware.)

Wednesday, 1 April 2020