Continuing with the trail of security issues, now there are two security vulnerabilities in the Zoom macOS Client. The vulnerabilities, with seemingly no patch yet, can allow elevated privileges to an attacker.
Zoom macOS Client Vulnerabilities
Security researcher Patrick Wardle has now come up with an interesting finding. As revealed through his recent post, Zoom macOS Client exhibits two major security flaws that need quick fixes.
The first of these is a privilege escalation flaw that can give root access to an attacker. According to the researcher Felix Seele, this relates to the Zoom macOS app installer behavior that requires no user input for installation.
Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M
— Felix (@c1truz_) March 30, 2020
As noted by Seele and endorsed by Wardle, Zoom client on macOS uses AuthorizationExecuteWithPrivileges API to install the app that executes a binary without authorization. It is pertinent to note that Apple has already deprecated this API due to privacy concerns. Yet, Zoom continued using this API on mac for which Eric Yuan, Zoom’s CEO, told Seele,
Thank you for your feedback! We implemented to balance the number of clicks given the limitations of the standard technology. To join a meeting from a Mac is not easy, that is why this method is used by Zoom and others. Your point is well taken and we will continue to improve.
— Eric S. Yuan (@ericsyuan) March 31, 2020
Nonetheless, regardless of the justification, this behavior potentially allows an attacker to gain elevated privileges on any target device simply by modifying the binary. According to Wardle,
To exploit Zoom, a local non-privileged attacker can simply replace or subvert the runwithroot script during an install (or upgrade?) to gain root access.
The second vulnerability gives explicit access to an attacker of the target device’s camera and Mic. Hence, an attacker may even record Zoom meetings. As explained by Wardle,
Zoom has a specific “exclusion” that allows malicious code to be injected into its process space, where said code can piggy-back off Zoom’s (mic and camera) access! This give malicious code a way to either record Zoom meetings, or worse, access the mic and camera at arbitrary times (without the user access prompt)!
Zoom Security Questioned
These two security flaws simply add to the latest Zoom fiasco regarding users’ privacy. While user security is always an important aspect for the tech sector to consider, in recent days when work-from-home has become a necessity, Zoom has witnessed an increase in the userbase.
Perhaps, for the same reason, the app came on the radar of New York attorney general for various security concerns. Though, Zoom, in a statement to NYTimes, has assured cooperating with AG.
We appreciate the New York attorney general’s engagement on these issues and are happy to provide her with the requested information.
Let’s see how things unfold regarding Zoom’s user privacy and security. For now, users must remain very careful as they communicate via this app for personal, educational, or official matters.
Let us know your thoughts in the comments.