San Francisco, Aug 13 (IANS) A security researcher has found a way that an attacker could leverage the macOS version of Zoom to gain access over the entire operating system.
According to The Verge, details of the exploit were released in a presentation by Mac security specialist Patrick Wardle at the Def Con hacking conference in Las Vegas this week.
Zoom has already fixed some of the bugs involved, but the researcher also presented one unpatched vulnerability that still affects systems now.
The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions to install or remove the main Zoom application from a computer.
Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.
When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom.
But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test — so an attacker could substitute any malware program and have it be run by the updater with elevated privilege, the report said.
The result is a privilege escalation attack, which assumes an attacker has already gained initial access to the target system and then employs an exploit to gain a higher level of access.
In this case, the attacker begins with a restricted user account but escalates into the most powerful user type — known as a “superuser” or “root” — allowing them to add, remove, or modify any files on the machine.
(Except for the headline, the rest of this IANS article is un-edited)
For more technology news, product reviews, sci-tech features and updates, keep reading Digit.in
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
