Zoom’s latest Update on Mac: Fix for Unsafe Security Flaw

Zoom has published a patch for a bug on macOS that could permit a hacker to take control of a user’s operating system.

In an update on its safety bulletin, Zoom accepts the issue CVE-2022-28756 and says a fix is incorporated in version 5.11.5 of the app on Mac, which you may download now.

Patrick Wardle, a security investigator and founder of the Objective-See Foundation, a nonprofit that creates open-source macOS security tools, is the one who first uncovered the flaw and delivered it at the Def Con hacking conference last week. My colleague, Corin Faife, attended the event and noted Wardle’s findings. But unfortunately, the issue could let a hacker take over your system.

As Corin explains, the exploit targets the Zoom installer, which requires special user permissions to run. By leveraging this tool, Wardle found that hackers could essentially “trick” Zoom into installing a malicious program by putting Zoom’s cryptographic signature on the package. From here, attackers can gain further access to a user’s system, letting them modify, delete, or add files on the device.

“Mahalos to Zoom for the quick fix!” Wardle said in response to Zoom’s Update. “Reversing the patch, we notice the Zoom installer now invokes lchown to update the permissions of the update .pkg, thus stopping malicious subversion.”

You can install the 5.11.5 update on Zoom by first opening the app on your Mac and hitting zoom.us, which differs depending on your country, from the menu bar at the top of your screen. Then, select Check for updates, and if one’s available, Zoom will display a window with the latest app version, along with details about what’s changing. From here, select Update to begin the download.

Zoom Meetings (commonly abbreviated to Zoom and stylized as zoom) is a proprietary videotelephony software schedule developed by Zoom Video Communications. The free plan permits up to 100 simultaneous participants, with a 40-minute time restriction. Users have the option to elevate by subscribing to a paid plan. The highest program supports up to 1,000 simultaneous participants for meetings surviving up to 30 hours.

During the COVID-19 pandemic, there was a significant increase in the use of Zoom for remote work, distance education, and online social relations. The growth led to Zoom being one of the most downloaded mobile apps worldwide in 2020, with over 500 million downloads. In addition, zoom had over 300 million daily meeting participants.

Zoom was initially founded in 2011. Its headquarters are set up in San Jose, California. Zoom also maintains offices in Europe, Asia, and Australia. A Zoom beta version that could host conferences with only up to 15 video playerswas launched on August 21, 2012.

Zoom has many tiers: Basic, Pro, Business, and Enterprise. Zoom is consistent with Windows, macOS, Chrome OS, iOS, Android, and Linux. It is documented for its simple interface and usability, nevertheless of technological expertise. Features include group video conferences, one-on-one meetings, screen sharing, browser extensions, plugins, and the ability to record meetings and have them automatically transcribed. In addition, users can select a virtual background, downloaded from different sites on some computers and operating systems, to use as a backdrop after themselves.

The platform’s use is free for video conferences of up to 100 participants at once, with a 40-minute time limit. For lengthier or larger gatherings with more components, paid subscriptions are available. Features geared towards business conferences, like Zoom Rooms, are also open.

Zoom security features include:

  • Password-protected meetings.
  • User authentication.
  • Waiting rooms.
  • Locked meetings.
  • Disabling participant screen sharing.
  • Randomly generated IDs.
  • The ability of the host to remove disruptive attendees.

As of June 2020, Zoom began delivering end-to-end encryption to business and enterprise users, with AES 256 GCM encryption allowed for all users. In October 2020, Zoom incorporated end-to-end encryption for free and paid users. It is open on all platforms except the official Zoom web client.

Zoom also delivers a transcription service using Otter.ai software that permits businesses to keep transcriptions of the Zoom sessions online and search them, including splitting and labeling different speakers.

Zoom Rooms and Zoom Phone became functional as hardware and service products. Zoom Phone is known for its domestic telephone service in 40 countries till August 2020. The company disclosed that it sold one million Zoom Phone service seats. In addition, zoom for Home, a category of products conceived for home use, became available in August 2020.

In September 2020, Zoom added unique accessibility features to make the app easier for those who are deaf, laborious of hearing, or visually impaired. Notable attributes include the ability to move around video windows in the gallery view, pin video windows to be spotlighted; improved keyboard shortcuts; the latest tools to adjust the dimensions of closed captioning text; and sign language interpreters can now pose directly next to the speaker.

At Zoomtopia 2020, Zoom’s annual user conference, the company revealed OnZoom, a virtual event marketplace with an integrated payment procedure where users can host and promote free or paid live events. With OnZoom, users can schedule and host one-time events or event sequels for up to 1,000 attendees and trade tickets online. The company also revealed Zoom Apps, a feature blending third-party apps so they can be used within the Zoom interface during sessions. The first such apps were predicted to be available around the end of 2020 from companies including Slack, Salesforce, Dropbox, and Qatalog. In addition, in October 2020, Zoom gave its users a better guard with an upgrade to end-to-end encryption for its online meetings network.

Zoom said it would begin selling its videoconferencing technology as a white-label product, so other companies could embed it in their products, with the calls running over Zoom but not carrying the company’s brand name.

Zoom pitched a new feature anointed Focus Mode. It is created for use in digital classrooms and other educational settings. When active, the mode will conceal participants’ screens from each other while the host can see everyone’s camera stream or screen share. The feature is functional across all Zoom accounts, including free ones.

At Zoomtopia, the company reported that end-to-end encryption would now be available as an upgrade for Zoom Phone users. The company also said Bring Your Own Key (BYOK), Verified Identity, and Video Engagement Center. Other updates include revamped virtual whiteboard features, including touchscreen whiteboards that can be digitized for small participants, and an improved partnership between Zoom Meetings and Zoom Chat.

The option to automatically forge closed captions in English for Zoom meetings was extended to all accounts, including free ones. The feature had hitherto only been available for Premium users.

Zoom added new features, including a virtual whiteboard, gesture recognition, and Zoom IQ for sales.