Zoom: a security researcher discovers several flaws in the automatic update process | TechBuzz

- Advertisement -


Several security flaws discovered in Zoom. Through the automatic update process, hackers can regain control of the victim’s machine.

The automatic update option Zoom helps users ensure they always have the latest version of video conferencing software, which has suffered from a number of privacy and security concerns in recent years. A Mac security specialist has discovered several flaws in the automatic update tool that would have allowed malicious people to obtain full control of their victim’s machine.

Several security flaws discovered in Zoom

- Advertisement -

Patrick Wardle presented his findings at this year’s DefCon conference. According to Wired, two of them have been revealed. The first was found in the process of verifying the signature of the app, which makes it possible to ensure the integrity of the update to be installed to ensure that the latter is completely legitimate. This prevents an attacker from making the installer believe that he can install anything.

Via the automatic update process

Patrick Wardle discovered that hackers could bypass signature verification by naming their files a certain way. Once inside, they can gain root access and control their victim’s machine. The Verge explains that the researcher communicated the existence of this flaw to Zoom in December 2021, but the patch contained another flaw. The second vulnerability could have given hackers a way to bypass the safeguard put in place by Zoom to ensure that the update process installs the latest version of the app. Patrick Wardle discovered that it was possible to trick a tool facilitating the distribution of the Zoom update into accepting an older version of the software.

hackers can regain control of the victim’s machine

Zoom has already corrected this flaw too, but the expert found another vulnerability, also presented during the conference. At some point between the auto-installer verifying the package and the installation process itself, it is possible to inject malicious code into the update. A downloaded package that needs to be installed can apparently retain its original read/write permissions, allowing anyone to modify them. This means that even users without root access can exchange content with malicious code and take control of the target machine.

- Advertisement -

The company told The Verge that it is working on a patch for this new vulnerability discovered by the expert. As Wired points out, attackers must already have access to the user’s machine in order to exploit these flaws. Although there is no immediate danger for the majority of users, Zoom recommends always “staying up to date with the latest version” of the app. This allows you to take advantage of end-to-end encryption.



Source link

- Advertisement -
Admin
Adminhttp://techbuzz.asia
I am admin of techbuzz.asia blog & I provide tech-related news. As a part of my hobby, I make content related to technology and gadgets reviews too. I love to be a content creator apart from it, I am a full-time employee in an MNC company and manage blogs systematically. You can mail me at [email protected]

More from author

Related posts

Advertisment

Latest posts

Oxenfree II: Lost Signals pushed back to 2023 | TechBuzz

Oxenfree II: Lost Signals is postponed to 2023....

5 quick steps to a modern and high-quality WooCommerce web store | TechBuzz

Thinking of starting a web store? Are you interested in how to quickly, simply and...
[tdn_block_newsletter_subscribe title_text="Want to stay up to date with the latest news? " description="V2UlMjB3b3VsZCUyMGxvdmUlMjB0byUyMGhlYXIlMjBmcm9tJTIweW91ISUyMFBsZWFzZSUyMGZpbGwlMjBpbiUyMHlvdXIlMjBkZXRhaWxzJTIwYW5kJTIwd2UlMjB3aWxsJTIwc3RheSUyMGluJTIwdG91Y2guJTIwSXQncyUyMHRoYXQlMjBzaW1wbGUh" input_placeholder="Email address" btn_text="Subscribe" tds_newsletter2-image="8" tds_newsletter2-image_bg_color="#c3ecff" tds_newsletter3-input_bar_display="row" tds_newsletter4-image="9" tds_newsletter4-image_bg_color="#fffbcf" tds_newsletter4-btn_bg_color="#f3b700" tds_newsletter4-check_accent="#f3b700" tds_newsletter5-tdicon="tdc-font-fa tdc-font-fa-envelope-o" tds_newsletter5-btn_bg_color="#000000" tds_newsletter5-btn_bg_color_hover="#4db2ec" tds_newsletter5-check_accent="#000000" tds_newsletter6-input_bar_display="row" tds_newsletter6-btn_bg_color="#da1414" tds_newsletter6-check_accent="#da1414" tds_newsletter7-image="10" tds_newsletter7-btn_bg_color="#1c69ad" tds_newsletter7-check_accent="#1c69ad" tds_newsletter7-f_title_font_size="20" tds_newsletter7-f_title_font_line_height="28px" tds_newsletter8-input_bar_display="row" tds_newsletter8-btn_bg_color="#00649e" tds_newsletter8-btn_bg_color_hover="#21709e" tds_newsletter8-check_accent="#00649e" tds_newsletter="tds_newsletter1" tds_newsletter1-input_bar_display="" tds_newsletter1-input_border_size="0" tds_newsletter1-title_color="#172842" tds_newsletter1-description_color="#90a0af" tds_newsletter1-disclaimer_color="#90a0af" tds_newsletter1-disclaimer2_color="#90a0af" tds_newsletter1-input_text_color="#90a0af" tds_newsletter1-input_placeholder_color="#bcccd6" tds_newsletter1-input_bg_color="#ffffff" tds_newsletter1-input_border_color="rgba(255,255,255,0)" tds_newsletter1-input_border_color_active="rgba(255,255,255,0)" tds_newsletter1-f_title_font_family="394" tds_newsletter1-f_title_font_size="eyJhbGwiOiI0MiIsImxhbmRzY2FwZSI6IjM2IiwicG9ydHJhaXQiOiIzMCIsInBob25lIjoiMzAifQ==" tds_newsletter1-f_title_font_line_height="1.2" tds_newsletter1-f_title_font_spacing="-1" tds_newsletter1-f_descr_font_family="638" tds_newsletter1-f_descr_font_size="eyJhbGwiOiIxOCIsImxhbmRzY2FwZSI6IjE1IiwicG9ydHJhaXQiOiIxNCIsInBob25lIjoiMTQifQ==" tds_newsletter1-f_descr_font_line_height="1.6" tds_newsletter1-f_descr_font_weight="700" content_align_horizontal="content-horiz-center" tdc_css="eyJhbGwiOnsibWFyZ2luLXJpZ2h0IjoiYXV0byIsIm1hcmdpbi1ib3R0b20iOiIxMDAiLCJtYXJnaW4tbGVmdCI6ImF1dG8iLCJwYWRkaW5nLXRvcCI6IjkwIiwid2lkdGgiOiI0MCUiLCJkaXNwbGF5IjoiIn0sInBvcnRyYWl0Ijp7Im1hcmdpbi1ib3R0b20iOiI3MCIsInBhZGRpbmctdG9wIjoiNjAiLCJ3aWR0aCI6IjcwJSIsImRpc3BsYXkiOiIifSwicG9ydHJhaXRfbWF4X3dpZHRoIjoxMDE4LCJwb3J0cmFpdF9taW5fd2lkdGgiOjc2OCwicGhvbmUiOnsibWFyZ2luLWJvdHRvbSI6IjcwIiwicGFkZGluZy10b3AiOiI2MCIsIndpZHRoIjoiMTAwJSIsImRpc3BsYXkiOiIifSwicGhvbmVfbWF4X3dpZHRoIjo3NjcsImxhbmRzY2FwZSI6eyJtYXJnaW4tYm90dG9tIjoiOTAiLCJwYWRkaW5nLXRvcCI6IjgwIiwid2lkdGgiOiI2NSUiLCJkaXNwbGF5IjoiIn0sImxhbmRzY2FwZV9tYXhfd2lkdGgiOjExNDAsImxhbmRzY2FwZV9taW5fd2lkdGgiOjEwMTl9" tds_newsletter1-f_disclaimer_font_family="394" tds_newsletter1-f_disclaimer2_font_family="394" tds_newsletter1-f_input_font_family="394" tds_newsletter1-f_input_font_line_height="3" tds_newsletter1-f_input_font_size="eyJhbGwiOiIxNiIsInBvcnRyYWl0IjoiMTQiLCJwaG9uZSI6IjE0In0=" tds_newsletter1-f_btn_font_family="394" tds_newsletter1-f_btn_font_transform="uppercase" tds_newsletter1-f_btn_font_weight="700" tds_newsletter1-btn_bg_color="#e2687e" tds_newsletter1-btn_bg_color_hover="#172842" tds_newsletter1-f_input_font_weight="" tds_newsletter1-f_title_font_weight="800" embedded_form_code="JTNDIS0tJTIwQmVnaW4lMjBNYWlsY2hpbXAlMjBTaWdudXAlMjBGb3JtJTIwLS0lM0UlMEElM0NsaW5rJTIwaHJlZiUzRCUyMiUyRiUyRmNkbi1pbWFnZXMubWFpbGNoaW1wLmNvbSUyRmVtYmVkY29kZSUyRnNsaW0tMTBfN19kdHAuY3NzJTIyJTIwcmVsJTNEJTIyc3R5bGVzaGVldCUyMiUyMHR5cGUlM0QlMjJ0ZXh0JTJGY3NzJTIyJTNFJTBBJTNDc3R5bGUlMjB0eXBlJTNEJTIydGV4dCUyRmNzcyUyMiUzRSUwQSUwOSUyM21jX2VtYmVkX3NpZ251cCU3QmJhY2tncm91bmQlM0ElMjNmZmYlM0IlMjBjbGVhciUzQWxlZnQlM0IlMjBmb250JTNBMTRweCUyMEhlbHZldGljYSUyQ0FyaWFsJTJDc2Fucy1zZXJpZiUzQiUyMCU3RCUwQSUwOSUyRiolMjBBZGQlMjB5b3VyJTIwb3duJTIwTWFpbGNoaW1wJTIwZm9ybSUyMHN0eWxlJTIwb3ZlcnJpZGVzJTIwaW4lMjB5b3VyJTIwc2l0ZSUyMHN0eWxlc2hlZXQlMjBvciUyMGluJTIwdGhpcyUyMHN0eWxlJTIwYmxvY2suJTBBJTA5JTIwJTIwJTIwV2UlMjByZWNvbW1lbmQlMjBtb3ZpbmclMjB0aGlzJTIwYmxvY2slMjBhbmQlMjB0aGUlMjBwcmVjZWRpbmclMjBDU1MlMjBsaW5rJTIwdG8lMjB0aGUlMjBIRUFEJTIwb2YlMjB5b3VyJTIwSFRNTCUyMGZpbGUuJTIwKiUyRiUwQSUzQyUyRnN0eWxlJTNFJTBBJTNDZGl2JTIwaWQlM0QlMjJtY19lbWJlZF9zaWdudXAlMjIlM0UlMEElM0Nmb3JtJTIwYWN0aW9uJTNEJTIyaHR0cHMlM0ElMkYlMkZ5b3VpbmZpbml0eS51czExLmxpc3QtbWFuYWdlLmNvbSUyRnN1YnNjcmliZSUyRnBvc3QlM0Z1JTNENjI4YWQ0NDQ3ODk1ZWE4NTE3MmIyM2ZmYiUyNmFtcCUzQmlkJTNEMzMxMzJmNWRlOCUyMiUyMG1ldGhvZCUzRCUyMnBvc3QlMjIlMjBpZCUzRCUyMm1jLWVtYmVkZGVkLXN1YnNjcmliZS1mb3JtJTIyJTIwbmFtZSUzRCUyMm1jLWVtYmVkZGVkLXN1YnNjcmliZS1mb3JtJTIyJTIwY2xhc3MlM0QlMjJ2YWxpZGF0ZSUyMiUyMHRhcmdldCUzRCUyMl9ibGFuayUyMiUyMG5vdmFsaWRhdGUlM0UlMEElMjAlMjAlMjAlMjAlM0NkaXYlMjBpZCUzRCUyMm1jX2VtYmVkX3NpZ251cF9zY3JvbGwlMjIlM0UlMEElMDklM0NsYWJlbCUyMGZvciUzRCUyMm1jZS1FTUFJTCUyMiUzRVN1YnNjcmliZSUzQyUyRmxhYmVsJTNFJTBBJTA5JTNDaW5wdXQlMjB0eXBlJTNEJTIyZW1haWwlMjIlMjB2YWx1ZSUzRCUyMiUyMiUyMG5hbWUlM0QlMjJFTUFJTCUyMiUyMGNsYXNzJTNEJTIyZW1haWwlMjIlMjBpZCUzRCUyMm1jZS1FTUFJTCUyMiUyMHBsYWNlaG9sZGVyJTNEJTIyZW1haWwlMjBhZGRyZXNzJTIyJTIwcmVxdWlyZWQlM0UlMEElMjAlMjAlMjAlMjAlM0MhLS0lMjByZWFsJTIwcGVvcGxlJTIwc2hvdWxkJTIwbm90JTIwZmlsbCUyMHRoaXMlMjBpbiUyMGFuZCUyMGV4cGVjdCUyMGdvb2QlMjB0aGluZ3MlMjAtJTIwZG8lMjBub3QlMjByZW1vdmUlMjB0aGlzJTIwb3IlMjByaXNrJTIwZm9ybSUyMGJvdCUyMHNpZ251cHMtLSUzRSUwQSUyMCUyMCUyMCUyMCUzQ2RpdiUyMHN0eWxlJTNEJTIycG9zaXRpb24lM0ElMjBhYnNvbHV0ZSUzQiUyMGxlZnQlM0ElMjAtNTAwMHB4JTNCJTIyJTIwYXJpYS1oaWRkZW4lM0QlMjJ0cnVlJTIyJTNFJTNDaW5wdXQlMjB0eXBlJTNEJTIydGV4dCUyMiUyMG5hbWUlM0QlMjJiXzYyOGFkNDQ0Nzg5NWVhODUxNzJiMjNmZmJfMzMxMzJmNWRlOCUyMiUyMHRhYmluZGV4JTNEJTIyLTElMjIlMjB2YWx1ZSUzRCUyMiUyMiUzRSUzQyUyRmRpdiUzRSUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUzQ2RpdiUyMGNsYXNzJTNEJTIyb3B0aW9uYWxQYXJlbnQlMjIlM0UlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlM0NkaXYlMjBjbGFzcyUzRCUyMmNsZWFyJTIwZm9vdCUyMiUzRSUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUzQ2lucHV0JTIwdHlwZSUzRCUyMnN1Ym1pdCUyMiUyMHZhbHVlJTNEJTIyU3Vic2NyaWJlJTIyJTIwbmFtZSUzRCUyMnN1YnNjcmliZSUyMiUyMGlkJTNEJTIybWMtZW1iZWRkZWQtc3Vic2NyaWJlJTIyJTIwY2xhc3MlM0QlMjJidXR0b24lMjIlM0UlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlM0NwJTIwY2xhc3MlM0QlMjJicmFuZGluZ0xvZ28lMjIlM0UlM0NhJTIwaHJlZiUzRCUyMmh0dHAlM0ElMkYlMkZlZXB1cmwuY29tJTJGaFNDMFhMJTIyJTIwdGl0bGUlM0QlMjJNYWlsY2hpbXAlMjAtJTIwZW1haWwlMjBtYXJrZXRpbmclMjBtYWRlJTIwZWFzeSUyMGFuZCUyMGZ1biUyMiUzRSUzQ2ltZyUyMHNyYyUzRCUyMmh0dHBzJTNBJTJGJTJGZWVwLmlvJTJGbWMtY2RuLWltYWdlcyUyRnRlbXBsYXRlX2ltYWdlcyUyRmJyYW5kaW5nX2xvZ29fdGV4dF9kYXJrX2R0cC5zdmclMjIlM0UlM0MlMkZhJTNFJTNDJTJGcCUzRSUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUzQyUyRmRpdiUzRSUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUzQyUyRmRpdiUzRSUwQSUyMCUyMCUyMCUyMCUzQyUyRmRpdiUzRSUwQSUzQyUyRmZvcm0lM0UlMEElM0MlMkZkaXYlM0UlMEElMEElM0MhLS1FbmQlMjBtY19lbWJlZF9zaWdudXAtLSUzRQ=="]