A security researcher discovered two vulnerabilities in the Zoom video calling software update tool for macOS that allowed root access. After the company fixed the vulnerabilities, the man discovered a new vulnerability.
Share security researcher Patrick Wardle its results At the DefCon hacker event in Las Vegas. There is an explanation of how Signature Verification From the Zoom auto-update tool for macOS. Through the first hole, CVE-2022-28751Users just had to change the file name to contain the same certificate values that the updater was looking for. “You just have to give the program a certain name and it will bypass coding control in a jiffy,” Suggest the guy to Wired.
Wardle reported the vulnerability to Zoom at the end of 2021 and the fix the company released then contained a new vulnerability, according to Wardle. He was able to get Zoom’s updater app for macOS to accept an older version of the video calling software, so he started distributing that version instead of the newer one. Malicious parties were suddenly given a chance to exploit vulnerabilities in older Zoom software via the CVE2022-22781 vulnerability. I got, because Zoom has now fixed the two vulnerabilities above via an update.
But Wardle also found a vulnerability there, CVE-2022-28756. According to the man, it is currently possible to make changes to the package after the software package has been verified by the Zoom installer. The software package retains its read and write permissions in macOS and can still be modified between encryption check and installation. Meanwhile, Zoom has responded to Wardell’s new findings. The company says it is working on a solution.