back to article Zoom patches make-me-root security flaw, patches patch

Zoom fixed a pair of privilege escalation vulnerabilities, which were detailed at the Black Hat conference this month, but that patch was bypassed, necessitating yet another fix. Patrick Wardle, cybersecurity researcher and founder of Objective-See, talked about the two macOS Zoom client vulnerabilities at Black Hat, both of …

  1. Fred Daggy Silver badge
    Unhappy

    I remember Flash

    Is Zoom the new "Flash player" of security vulnerabilities?

    1. DS999 Silver badge

      Re: I remember Flash

      Given that it is software that the majority of people must have installed and use regularly today, just like Flash was back in the day, I suppose so.

      It pays to spend your efforts trying to find holes in more widely distributed software. There might be holes in AutoCAD big enough to drive a truck through, but with 0.1% of the population having it installed it isn't worth the effort for the typical black hat to look for holes in it.

      That's also why you see Google and Apple constantly patching Chrome and Safari security issues. The browser is a huge target of opportunity because everyone uses the web.

      It is depressing that years keep ticking by, and no one has become any better at writing secure software. If anything, things are worse today than when we started making fun of Adobe's constant patching of Flash.

      1. Anonymous Coward
        Anonymous Coward

        Re: I remember Flash

        If we went back to MS-DOS and ran just one program at a time, it would be a lot easier (there were still viruses, but they were mainly propagated by floppy-net). Multi-tasking systems will always present a harder challenge. At a basic level, allowing a PC access to a network is a vulnerability.

        The demand for the internet browser to be the all-dancing UI is an almost impossible attack interface to defend. Personally, I lock my browser (Safari, by default) down as tight as I can, whilst still being able to achieve what is needed.

        In most cases, vulnerabilities are not the result of carelessness, or even incompetence (unless we expect those providing software to be 100% perfect (I know that's a tautology - but it's deliberate to emphasise a point)) - they're a fact of life, just as biological viruses are.

        1. iron Silver badge

          Re: I remember Flash

          Viruses were mostly distributed by floppy back then because only a handful of wierdos like myself were on the Internet. That said, the Morris worm used the Internet all the way back in '88.

        2. Charlie Clark Silver badge

          Re: I remember Flash

          MS-DOS did let some programs run concurrently, though not as we now think of it. And if you don't have some degree of this, every program has to implement al its own drivers, which is just another source of bugs as anyone who worked with peripherals more complicated than mouse and keyboard should remember.

      2. Charlie Clark Silver badge

        Re: I remember Flash

        The comparison with modern runtimes and Flash is misleading. The Flash runtime was insecure almost by design, which is why it was so difficult to secure. Modern exploits are increasingly targetting esoteric side effects of what is generally well written code.

        As a result I think browsers are reasonably secure and only run things like Zoom in them rather than installing a separate app.

        1. Androgynous Cupboard Silver badge

          Re: I remember Flash

          Agreed. I'd also add that 20 years ago you had kids doing it for fun, now it's both a major moneyspinner for organised crime AND a hugely effective weapon for Governments - many examples, but the DNC email hack put Trump in power which did huge damage the US, internally and externally.

          The fact you're not seeing more hacks is testament to the huge increase in awareness and effort at all layers in the software stack.

        2. DS999 Silver badge

          Re: I remember Flash

          SOME modern exploits may target side effects of well written code in the really carefully crafted ones (like the amazingly complex NSO exploit against the iPhone that required at least five separate exploits chained together and undoubtedly represented millions in R&D)

          But you still see plenty of the out of bounds memory writes and poor input validation issues that have been around since the Morris Worm. You only need to look at all the security patches for Chrome and Safari to see that those old school exploits are still very much alive and kicking, even if there have been some more esoteric ones added to the collection - which are mostly for new target types i.e. there's little need to use side channel attacks against a single user device like a phone. But if you want to attack something running in a hypervisor - which 30 years ago was a mainframe only thing - that's the way attackers have adapted to what was once considered nearly impenetrable security.

    2. Claptrap314 Silver badge

      Re: I remember Flash

      That would be Chromium...

  2. Version 1.0 Silver badge
    Pint

    "See if in-app browsers are monitoring you"

    If you believe that nothing is monitoring you then please book an appointment with a psychiatrist to help you avoid problems in the future... is that a joke or is it simply the way everything works these days? I'm not pissed about this, I'll have a beer and then stop in the loo before I leave the pub to eliminate any beer monitoring risks (OK, that's a joke).

    1. ThatOne Silver badge
      Big Brother

      Re: "See if in-app browsers are monitoring you"

      > If you believe that nothing is monitoring you

      If there is money to be made, it is bound to happen. Never mind people thinking "I'm too unimportant for them to bother", most plankton organisms are so small they're barely visible, yet they feed huge whales! It's the quantity that makes the difference, a million nobodys are well worth a much rarer somebody.

    2. Snake Silver badge

      Re: "See if in-app browsers are monitoring you"

      They mention Amazon, but what in-app browser does Amazon have? Am I missing something??

  3. Woodnag

    Don't Zoom have any competent security testers?

    I find it unbelievable that a company as large as Zoom couldn't even patch an externally disclosed flaw properly on the first release. Doesn't the word 'release' have any meaning in terms of testing and quality to Zoom?

    Missing an exploit, sure, it happens. But the initial flawed patch release should entail a consequence to the senior manager who signed off the release.

    1. Charlie Clark Silver badge
      Stop

      Re: Don't Zoom have any competent security testers?

      You might want to apply for that job.

      I'm not a fan of Zoom, or "video conferencing" in general for that matter, and it doesn't have a great track record in security. But getting this right, especially once the software had been released is often harder than you think.

      As users we also have the choice to run this kind of thing in the browser, which does give an extra layer of protection. And credit should go to Google, Firefox and others for: improving the plugin architecture in general; adding WebRTC to browsers to make plugins even less required.

  4. Ian Johnston Silver badge

    Why of earth does MacOS allow a videoconferencing application to run anything as root? That's the problem here - if the OS was secure, what applications tried to do wouldn't matter.

    1. Charlie Clark Silver badge

      It doesn't but you do have to give it permission to access the hardware. This is true for all video conferencing apps. Another reason why it's best keeping them in the browser.

      1. Ian Johnston Silver badge

        It doesn't but you do have to give it permission to access the hardware.

        Sure, but all the hardware? And why as root?

        1. Charlie Clark Silver badge

          No, permissions are fine-grained for things like microphone and camera. Technically, anything that has real access to hardware has the godlike powers of root. But there is a difference between permission being given on a per process basis and running as root. That said, I removed Zoom fairly quickly from my system once I realised it couldn't be installed for a single user only.

  5. A random security guy

    Basic security principles were vehemently ignored

    From the Verge

    https://www.theverge.com/2022/8/12/23303411/zoom-defcon-root-access-privilege-escalation-hack-patrick-wardle

    Patrick Wardle states

    The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.

    When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test—so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.

    1. Fred Daggy Silver badge
      Thumb Down

      Re: Basic security principles were vehemently ignored

      And people look at me crazy when i tell them to disable all auto-update functionality in any program for corporate deployment. BEFORE it hits the desktop. Why go to that trouble - they think?

      1 - Buggy updates. You wanna wipe out the company with one fouled update that leaves the program stone dead, removes critical functinality, is a known vulnerable or hoses the PC? Go ahead.

      2 - Buggy updaters. Seems like this is the poster child. But it can just be that it doesn't realise the user does not have privlidges to actually perform the update. Or just that they site their consuming memory. The worst updaters have a process for each user that logged on to the PC!

    2. Richard 12 Silver badge

      Re: Basic security principles were vehemently ignored

      That is one of the reasons I hate Electron.

      Bloody squirrel, updating code in userspace to avoid all the OS security checks - so it kind of doesn't matter whether it's root or not.

      Seems Zoom have gone one step further.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like