Installing This Zoom Security Update Should Be An Immediate Priority
This is not a drill, folks — it's time to update your Zoom app, and you should do it right now if you want to keep your computer safe. If you're using a Mac and you have the Zoom app installed (as opposed to just using it in the browser), you may be running an unnecessary risk by avoiding the latest security fix.
A new vulnerability has been fixed in the latest update, but unless you've downloaded the new version of Zoom within the past couple of days, you are still running the software that could potentially allow a hacker to gain root privileges to your operating system. This could mean your whole Mac might be in danger.
Mahalo to everybody who came to my @defcon talk "You're M̶u̶t̶e̶d̶ Rooted" 🙏🏽
Was stoked to talk about (& live-demo 😅) a local priv-esc vulnerability in Zoom (for macOS).
Currently there is no patch 👀😱
Slides with full details & PoC exploit: https://t.co/viee0Yd5o2 #0day pic.twitter.com/9dW7DdUm7P
— patrick wardle (@patrickwardle) August 12, 2022
You might be pleased to know that it wasn't some great hacking heist that exposed the vulnerability — it was a security researcher, Patrick Wardle, who described it in a presentation at DEFCON. Companies often rely on security specialists to try to hack their programs without any malicious intent. This wasn't Wardle's first rodeo — he's been spotting vulnerabilities in software and hardware for years, including noteworthy finds like exploits within the Apple M1 chip and malware that was masqueraded as Adobe Flash.
The Zoom exploit targets the software's installer, which is clever, because you usually need administrator permissions in order to install or uninstall new software. Wardle noticed that there was an auto-update that retained these super privileges as it continued to run in the background. A bug in that system could allow an attacker to substitute a legit Zoom update with a malicious program that could then be used to take control of your computer.
Make sure you update Zoom promptly
The vulnerability sounds pretty scary, but fortunately, it seems that Zoom chose to act fast. In its latest security bulletin, the company describes the exploit and advises users to update their Zoom client in order to stay secure. It also directs users to its official website to search for new versions of the program. This doesn't just apply to Zoom, really — it's a good way to secure yourself when it comes to any software you use regularly. If you need the latest version of Zoom for your Mac, head over to the official website in order to pick it up.
If you're not sure whether your Zoom needs an update, the company stated that this exploit affects versions from 5.7.3 to 5.11.3 of the macOS app. Starting with version 5.11.5, the fix has been applied, and it seems that we can consider the exploit patched and forgotten — at least until someone else picks up on a hint of a problem within the Zoom app.
Assuming you don't use Zoom frequently, it's worth noting that you don't even need to install the software in order to use it. Zoom can be used in the browser, and as long as the meeting leader sends you a link to join, you won't need to download the app. That's one way of staying safe on that front, but it could get tedious if you're jumping in and out of Zoom calls all day long.