MANILA, Philippines – Zoom said it released security updates to address vulnerabilities in its macOS client after a security researcher at Jamf revealed two flaws in the client which could give local, unprivileged attackers access to root (or administrative) privileges or allow the attacker to gain access to the microphone and camera of a user.
It also froze feature development for 90 days to address security and privacy issues with the application.
The first flaw has to do with Zoom's installer on macOS. Zoom uses a function to allow someone with administrative access to install the app without any user interaction.
Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M
— Felix (@c1truz_) March 30, 2020
While seemingly convenient, the way this works also means someone with physical access to a computer they want to attack (otherwise known as a local attacker) can inject something malicious into the Zoom installer beforehand to grant them root privileges as well, which makes it easier for them to install more malware onto that computer.
A second flaw in Zoom can allow a local attacker access to the webcam and microphone on a Mac. According to Wardle, an attacker can inject malicious code into Zoom to allow the attacker the same access to the camera and microphone that Zoom has. Added Wardle, “No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video.”
More information on Zoom's macOS installer flaws can be found in this VMRay analysis by Felix Seele.
Zoom said it has released patches to address Wardle's vulnerability disclosures in an April 1 blog post.
Zoom freezes feature development
Zoom, in response to the growing number of issues found with the app, also announced it was freezing feature development for 90 days.
The company won't add new features until it's done fixing its existing feature set.
Zoom CEO Eric Yuan wrote, “For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations."