In the latest (as of late last year, when Patrick began his research) version of Zoom, everything seemed to be okay. Encryption was implemented, making that more complicated, but it’s still possible to substitute the file after downloading when it’s already saved on the disk but not yet installed. Ten years ago, accessing servers without data encryption was common practice, allowing a potential attacker to simply replace the update file with malware. Unfortunately, this process of communicating with the server, then downloading and installing the update, is not always implemented correctly. Zoom tried to simplify this procedure: the client accesses the server, downloads the new version, and it installs all by itself without requiring the user to enter a password. The bog-standard way to update a macOS application is no different from its first installation: download the new version, run the file, and enter a user password. In some particularly serious cases, you need to protect vulnerable software against active cyberattacks immediately: one day of delay can cost you data. But it’s vital to do so: updates close security holes that could otherwise be used against you. We all get annoyed by pop-up messages reminding us to update a program, operating system, smartphone or tablet firmware. To complete an update, you often have to restart a program, re-login, or even reboot. Ideally, bug fixes should be installed without the user even noticing, but this isn’t always possible. Timely delivery and easy installation of updates are important requirements for any modern piece of software. Theoretically, the vulnerability could also be exploited by malware, which otherwise would not cause serious damage to the user. But this is not an entirely unrealistic scenario: for example, the user might go for lunch and forget to lock their computer. To exploit the vulnerability, however, the attacker needed to have already had physical access to the computer, albeit without special rights. These bugs, in theory, made it possible to obtain so-called super-user rights, which allowed a would-be attacker to do whatever they want on the host computer. Long story short, a few of bugs were found in the automatic update system for am Apple Zoom client. The new problem in the Zoom videoconferencing client was highlighted by renowned researcher Patrick Wardle at DEF CON 30 in early August of this year. It ends with advice regarding what to do about it. This post examines this latest security issue, and seeks to explain why holes in software sometimes crop up repeatedly in the same place. Fast-forward to August 2022, and a similar hole has been found (in terms of both location and exploitation consequences). In March 2020, as the whole world was just getting to grips with working remotely, a vulnerability was discovered in the installer of Zoom - one of the world’s prime remote communication tools - allowing arbitrary code execution on Apple computers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |