Zoom for Mac patches critical security flaw
Zoom has patched a high severity security vulnerability present in the automatic updater for its desktop client on MacBooks.
According to a security bulletin published on 13 August, the Standard and IT Admin Zoom Client for Meetings on MacOS from version 5.7.3 onwards and before version 5.11.5 were vulnerable.
“A local low-privileged user could exploit this vulnerability to escalate their privileges to root,” Zoom said.
The vulnerability is tracked as CVE-2022-28756 and has a common vulnerability scoring system rating of 8.8.
Mac security researcher Patrick Wardle disclosed the flaw to Zoom in December 2021, The Verge reported.
Wardle told The Verge that Zoom’s initial patch for the bug did not fix the issue but only made it more laborious to exploit the vulnerability.
After disclosing this second bug to Zoom and waiting eight months to publish his research, Wardle publicly revealed his discoveries during the DefCon security conference in Las Vegas on Friday.
While Zoom issued a patch for Wardle’s initial discoveries, the researcher found an error that attackers could use to trick the patched automatic update installer into downgrading Zoom to a vulnerable version.
Wardle said attackers would need previous access to a user’s computer to exploit the security flaws.
Zoom issued a security patch fixing CVE-2022-28756 in the update for version 5.11.5.
🆕 Update(s):
🐛 Bug assigned CVE-2022-28756
🩹 Patch now available, in Zoom v5.11.5 (9788)See Zoom’s security bulletin: https://t.co/xUpE4jS6ck
Mahalos to @Zoom for the (incredibly) quick fix! 🙌🏽 🙏🏽 pic.twitter.com/GGtM3EUT7s
— patrick wardle (@patrickwardle) August 14, 2022