Earlier this month, Zoom patched up two privilege escalation flaws that were described at the Black Hat conference. However, the patch was then bypassed, requiring yet another remedy.
At Black Hat, Patrick Wardle, a researcher in cybersecurity and the inventor of Objective-See, presented two macOS Zoom client flaws that might be used by a local, non-privileged intruder or malicious program to consistently escalate to root access.
Simply said, a malicious update might be sent to Zoom to install and execute when it shouldn’t typically be permitted to do so by utilizing the two vulnerabilities combined.
Zoom provided separate fixes for the issues on August 9 and 13 and Wardle praised the company for its speedy response time.
However, a simple glance at Zoom’s most recent security bulletins reveals that something went awry since five days later a third fix was made available for the same issue.
Csaba Fitzl, a content developer at Offensive Security and a macOS security researcher, tweeted that Zoom’s fix “was… insufficient, I managed to circumvent it.” Fitzl didn’t disclose how he was able to get around the fix, but Zoom gives him credit for disclosing the third vulnerability.
Unless using a version older than 5.7.3, Zoom users on macOS are urged to update their client right away to version 5.11.6. If the latter applies to you, it could be a good idea to upgrade due to a number of additional security issues with Zoom that have surfaced recently.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.