Security News > 2022 > August > Zoom for Mac patches critical bug – update now!
Given the apparent speed and ease with which Zoom was able to emit a patch for the bug, dubbed CVE-2022-28756, you're probably wondering why Wardle didn't tell Zoom about the bug in advance, setting the day of his speech as the deadline for revealing the details.
That would have given Zoom time to push out the update to its many Mac users, thus eliminating the gap between Wardle explaining to the world how to abuse the bug, and the patching of the bug.
Wardle explains the bug disclosure timeline in the slides from his DEF CON talk, and lists a stream of Zoom updates related to the flaws he discovered.
Creating a package with an absurd-but-valid name such as Zoom Video Communications, Inc. Developer ID Certification Authority Apple Root CA.pkg would trick the package verifier into finding the "Identity strings" it was looking for.
According to Wardle, Zoom has now prevented this bug by changing the access rights on the update package file that's copied in step 1 above.
If you're using Zoom on a Mac, open the app and then, in the menu bar, go to zoom.
News URL
https://nakedsecurity.sophos.com/2022/08/15/zoom-for-mac-patches-get-root-bug-update-now/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-08-15 | CVE-2022-28756 | Unspecified vulnerability in Zoom Meetings The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.5 contains a vulnerability in the auto update process. | 7.8 |