macOS root access was made possible by the Zoom installer

Using the macOS version of Zoom, an attacker could gain access to the entire system, according to a security researcher. On Friday, Mac security specialist Patrick Wardle revealed details of the exploit at the Def Con hacking conference in Las Vegas.

While Zoom has already fixed some of the bugs, one vulnerability is still unpatched, affecting systems today. To install or remove Zoom from a computer, the exploit targets the Zoom installer, which requires special permissions to run.

When Wardle first installed the application, he noticed an auto-update function constantly ran in the background with superuser privileges, even though the installer required a password. After Zoom cryptographically signed a new package, the updater function would install it after Zoom issued an update.

As a result of a bug in the way the checking method was implemented, an attacker could substitute any kind of malware program with elevated privileges and have it run by the updater with elevated privileges - so any file named Zoom's signing certificate would be enough to pass the test.

The attacker assumes they have already gained initial access to the target system, then exploits it in order to gain higher levels of access. It is possible for the attacker to add, remove, or modify any files on the machine by escalating from a restricted user account to a 'superuser' or 'root' account.

A nonprofit organization founded by Wardle, Objective-See Foundation creates open-source security tools for macOS. Wardle previously detailed how for-profit companies had unauthorized access to algorithms from his open-source security software at Black Hat, held the same week as Def Con.

The vulnerability was disclosed to Zoom by Wardle following responsible disclosure protocols in December. He says he was frustrated by an initial Zoom fix that contained another bug. The second bug meant the vulnerability could still be exploited in a slightly roundabout way, so he reported it to Zoom eight months after he first published the work.

The Verge spoke with Wardle before the talk and he said that he was concerned because he not only reported bugs to Zoom but also the mistakes he made and how to fix them. The waiting period for Zoom on Macs took six, seven, eight months with all versions sitting on vulnerable computers.'

Wardle says Zoom fixed the bugs he discovered a few weeks before Def Con. An analysis of the bug, however, revealed another small error.

New versions of the update installer move packages to a directory owned by the 'root' user before installing them. Files in this directory can't be added, removed, or modified by users who don't have root permission.

When a file from another location is moved into the root directory of a Unix system (of which macOS is one), it retains its read-write permissions. Hence, regular users are still able to modify it. It is also possible for a malicious user to alter that file and use it to gain root access because it can be modified.

Wardle says the bug, while currently living in Zoom, is easily fixable and hopes bringing it to the public's attention will 'grease the wheels' for the company to address it sooner rather than later.

Zoom's security and privacy PR lead, Matt Nagel, told The Verge that the company is aware of the recently reported vulnerability in macOS' Zoom auto-updater.