Skip to main content

Zoom rolls out fix for vulnerability that can give anyone control of your Mac

If you’re a Zoom user with a Mac, there’s a critical security fix rolling out now that you should install immediately. The Zoom for Mac update addresses a major security vulnerability that could have allowed anyone to gain root access to your computer.

As reported by ArsTechnica, the vulnerability was first discovered by well-known security researcher Patrick Wardle. Wardle detailed the vulnerability at Def Con last week, explaining that Zoom’s auto-update feature doesn’t ask for a user password and is enabled by default.

What this means is that malicious actors could bypass the verification checker and either downgrade to an old, less secure version of Zoom or pass an entirely different package to the updater. The report explains:

It seemed secure, as only Zoom clients could connect to the privileged daemon, and only packages signed by Zoom could be extracted. The problem is that by simply passing the verification checker the name of the package it was looking for (“Zoom Video ... Certification Authority Apple Root CA.pkg“), this check could be bypassed. That meant malicious actors could force Zoom to downgrade to a buggier, less-secure version or even pass it an entirely different package that could give them root access to the system.

Zoom issued a security bulletin after Wardle detailed the vulnerability. The company said that the vulnerability in the auto-update process could allow a “local low-privileged user” to “escalate their privileges to root.” The affected versions of Zoom are the following:

  • Zoom Client for Meetings for macOS (Standard and for IT Admin) starting version 5.7.3 and before version 5.11.5

Zoom quickly then rolled out an update to its Mac app to patch the vulnerability. You can update your Zoom app on your Mac to version 5.11.5 (9788) to protect yourself.

This is only the latest example of Zoom’s oftentimes lackluster security practices. The company was forced to address a major vulnerability in 2019 that allowed websites to hijack your Mac’s webcams. It rolled out an update earlier this year to prevent your Mac’s microphone from staying active even after you left a call. And of course, it lied about offering end-to-end encryption for years.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Chance Miller Chance Miller

Chance is the editor-in-chief of 9to5Mac, overseeing the entire site’s operations. He also hosts the 9to5Mac Daily and 9to5Mac Happy Hour podcasts.

You can send tips, questions, and typos to chance@9to5mac.com.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications