Feature you'd normally want for secure software opened a huge hole.
If you're using Zoom on a Mac, it's time for a manual update. The video conferencing software's latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers, granting escalated privileges and control of the system.
The vulnerability was first discovered by Patrick Wardle, founder of the Objective-See Foundation, a nonprofit Mac OS security group. Wardle detailed in a talk at Def Con last week how Zoom's installer asks for a user password when installing or uninstalling, but its auto-update function, enabled by default, doesn't need one. Wardle found that Zoom's updater is owned by and runs as the root user.
Courtesy of Ars Technica
Article Author: Kevin Purdy