It’s time for Zoom users on Mac to upgrade, again.
After Zoom patched a vulnerability in its Mac auto-update utility that could give malicious actors root access earlier this week, the video conferencing software company issued another patch on wednesdaynoting that the above solution could be omitted.
Zoom users on macOS should to download and run version 5.11.6 (9890), released on August 17. You can also check the Zoom menu bar for updates. Waiting for an automatic update could leave you waiting for days while this exploit becomes public.
Zoom’s incomplete fix was reported by macOS security researcher Csaba Fitzl, aka The damn Offensive Security. Zoom credited Fitzl in his security bulletin (ZSB-22019) and issued a patch the day before Fitzl tweeted about it.
Neither Fitzl nor Zoom detailed how Fitzl was able to circumvent the vulnerability fix. first discovered by Patrick Wardlefounder of the Objective-See Foundation. wardle spoke at Def Con last week about how Zoom’s automatic update utility kept its privileged state to install Zoom packages, but could be tricked into checking other packages. That meant malicious actors could use it to downgrade Zoom for better exploit access or even gain root access to the system.