But if it’s opening this broad attack surface that could be exploited, that’s less than ideal.” “There’s always a potential tradeoff between usability and security, and it’s important for users to install updates for sure. “The main reason I looked at this is that Zoom is running on my own computer,” Wardle says. The attacker can then have as many opportunities as they want to attempt to insert their malicious code and gain the Zoom automatic update installer’s root access to the victim device. Under normal circumstances, an attacker would be able to grab this opportunity only when a user is installing a Zoom update anyway, but Wardle found a way to trick Zoom into reinstalling its own current version. But Wardle noticed that there is a moment after the installer verifies the software package-but before the package installs it-when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has.
Zoom now conducts its signature check securely, and the company plugged the downgrade attack opportunity. “As always, we recommend users keep up to date with the latest version of Zoom … Zoom also offers automatic updates to help users stay on the latest version.”ĭuring his talk at DefCon, though, Wardle announced another Mac vulnerability he discovered in the installer itself. “We have already resolved these security issues,” a Zoom spokesperson told WIRED in a statement. In other words, Wardle found that he could change the name of the software he was trying to sneak through to contain the markers Zoom was broadly looking for and get the malicious package past Zoom’s signature check. Zoom’s signature check was essentially looking at everything on the table and accepting the random birthday card signature instead of actually checking whether the signature was in the right place on the right document. Imagine that you carefully sign a legal document and then put the piece of paper facedown on a table next to a birthday card that you signed more casually for your sister. Ultimately, he realized that Zoom’s check could be defeated. (It’s a sort of wax-seal check to confirm the integrity and provenance of software.) Wardle knew from past research and his own software development that it can be difficult to truly validate signatures in the types of conditions Zoom had set up.
The first vulnerability Wardle found, though, was in the cryptographic signature check.
0 kommentar(er)
