Details of this exploit were shared by Mac cybersecurity specialist Patrick Wardle , during its presentation at Def Con, a hacking conference held in Las Vegas last Friday.
Zoom has already fixed some of the bugs outlined by the researcher, but this also presented an unpatched vulnerability that continues to affect systems.
The attack is of the privilege escalation type and works starting from the Zoom installer, which, to install or remove the app from the system, requires special user permissions, with consequent typing of the password. However, the researcher found that the automatic update feature continues to run in the background without requiring superuser privileges.| ); }
Wardle warned Zoom of the vulnerability last December. Unfortunately, the first fix by Zoom contained a bug that made it still possible to exploit the flaw, albeit with some more complications, consequently the researcher reported the second bug to the company and, as per protocol, he waited 8 months before publish the research.
In any case, Zoom has intervened on the problem and has also solved the second vulnerability with version 5.11.5 and then with 5.11.6 of its app for Mac, already available for download .