Zoom Updates Mac App With Important Security Fix

[MacRumors]

Zoom has released a new version of its macOS app with a fix for a security vulnerability affecting the app's automatic updates feature.

In an August 13 security bulletin, Zoom said version 5.7.3 to version 5.11.3 of its macOS app contain a vulnerability in the auto-update process that can be exploited by a local low-privileged user to gain root privileges to the operating system. The vulnerability has been patched in version 5.11.5 of the Zoom app for macOS, available now.

The vulnerability was revealed by Mac security researcher Patrick Wardle at the hacking conference DEF CON in Las Vegas on Friday. The Verge and WIRED shared more details about Wardle's findings for those interested in learning more.

Article Link: Zoom Updates Mac App With Important Security Fix

 

[ThailandToo]

Still a terrible app that I cannot believe businesses use for remote video work. Figure all that data recorded on Chinese servers being mined.

 

[sumarlidason]

not surprised ~ zoom is a plague; refuse to use it

 

[KaliYoni]

Tip: occasional or casual users of Zoom do not have to install the Zoom client. Zoom will run in most web browsers with no downloads or installations needed.

Simply follow the conference link sent out by the conference organizer. Then wait until a "Join in browser" link appears in the browser window. If Zoom automatically downloads a software installer, avoid clicking on the installer and move it to the Trash.

Sometimes the "Join in browser" link doesn't appear automatically. If so, try clicking on the Join Meeting button (yes, even though you haven't installed the Zoom software).


----------
ETA: additional info below.

 

[crees!]

Simply follow the conference link sent out by the conference organizer. Then wait until a "Join in browser" link appears in the browser window. If Zoom automatically downloads a software installer, simply avoid clicking on it and move it to the Trash.

Good tip. They seem to be the next Flash from all the security updates.

 

[mike090910]

You mean they have an app? Really

 

[avkills]

Hate to break the news, but all of the so-called video teleconference / meeting apps suck. In my experience Zoom sucks the least or it allows you to almost do what you need to.

 

[tofagerl]

Zoom is the only one I've tried where it's possible for people to go minutes at a time without misunderstandings. The audio is both better and faster.

 

[vikingjunior]

Explain this to me like I'm 8. "be exploited by a local low-privileged user to gain root privileges to the operating system" would they be able to read the keychain or credit card info without the password?

 

[JPack]

People with real jobs use Zoom. It’s better than all other video conferencing apps. That’s why most businesses use it.

 

[minik]

Still a terrible app that I cannot believe businesses use for remote video work. Figure all that data recorded on Chinese servers being mined.

I remember there's another video conferencing application that uses the Zoom-engine, I forgot the name. Second, the main rival, Microsoft Teams, did a poor job on both Mac and Windows.

 

[I7guy]

Still a terrible app that I cannot believe businesses use for remote video work. Figure all that data recorded on Chinese servers being mined.

What data is being recorded on Chinese servers from the US? Please be specific.

 

[lkrupp]

not surprised ~ zoom is a plague; refuse to use it

You’d use it if keeping your job depended on it. Boss calls a Zoom meeting and you say, “Sorry, Zoom is a plague and I refuse to use it.” Yeah, right you would.

 

[triptolemus]

You’d use it if keeping your job depended on it. Boss calls a Zoom meeting and you say, “Sorry, Zoom is a plague and I refuse to use it.” Yeah, right you would.

This.

People "refusing to use Zoom" are the same people with whom no one is trying to meet.

 

[JPack]

I remember there's another video conferencing application that uses the Zoom-engine, I forgot the name. Second, the main rival, Microsoft Teams, did a poor job on both Mac and Windows.

Nothing else uses the “Zoom engine” because that would be like Apple licensing out their SoC architecture. The reason Zoom does video so well is partly because they have a massive global infrastructure to transcode and reduce latency.

 

[BootsWalking]

The only way to secure your Mac on Zoom calls is to uninstall it.

https://theintercept.com/2020/04/03...rprising-links-to-china-researchers-discover/
https://www.businessinsider.com/china-zoom-data-2020-4
https://www.secureworld.io/industry-news/zoom-traffic-through-china-data-routing-controls

 

[davidhunter51]

For organizations that already spend a small fortune on Google Workspace or Microsoft 365, it's hard to justify spending more to use another platform like Zoom, so employees have to suffer through the downsides of using the bundled apps in their respective ecosystems. I loved Zoom, but Meets and Teams won in the end, despite their shortcomings.

 

[BobSc]

Still a terrible app that I cannot believe businesses use for remote video work. Figure all that data recorded on Chinese servers being mined.

not surprised ~ zoom is a plague; refuse to use it

Good tip. They seem to be the next Flash from all the security updates.

Hate to break the news, but all of the so-called video teleconference / meeting apps suck balls. In my experience Zoom sucks the least or it allows you to almost do what you need to.

What data is being recorded on Chinese servers from the US? Please be specific.

I've used zoom on numerous occasions and it has functioned very, very well. I've come to believe on MR that when the haters hate something, it must be good. And I insert fake news into my zoom activity to confound those Chinese spy servers given how major newspapers are now reporting how Chinese intelligence services have deeply penetrated Zoom. Beware!

 

[BobSc]

The only way to secure your Mac on Zoom calls is to uninstall it.

https://theintercept.com/2020/04/03...rprising-links-to-china-researchers-discover/
https://www.businessinsider.com/china-zoom-data-2020-4
https://www.secureworld.io/industry-news/zoom-traffic-through-china-data-routing-controls

Is your real name Alex Jones? And I have a bridge over the Grand Canyon available for purchase if you are interested.

 

[BootsWalking]

The only way to secure your Mac on Zoom calls is to uninstall it.

https://theintercept.com/2020/04/03...rprising-links-to-china-researchers-discover/
https://www.businessinsider.com/china-zoom-data-2020-4
https://www.secureworld.io/industry-news/zoom-traffic-through-china-data-routing-controls

Is your real name Alex Jones? And I have a bridge over the Grand Canyon available for purchase if you are interested.

Despite a recent flood of security and privacy failures, Yuan, Zoom’s CEO, appears to be listening to feedback and making a real effort to improve the service. “These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones,” Yuan wrote in his blog post.

Zoom admits calls got 'mistakenly' routed through China

Zoom Traffic Through China: Company Apologizes

 

[bankshot]

Glad I've always only installed it in a separate, isolated user account on my Mac. It's installed for that user only instead of system-wide, so any updater daemon was not given elevated privileges at install. My understanding is this negates this particular vulnerability because nothing can be running as root in this configuration (nor can anything read my own user data, which is what I really care about).

They lost the opportunity to earn my trust when all the news came out about security holes early in the pandemic. Glad I didn't relax when they fixed those issues. Ideally I'd avoid it altogether, but that's not always possible. I suppose running it in a VM should be even more secure, but I've usually found video stuff to be pretty janky in a VM, so didn't want to hassle with it.

 

[BobSc]

Despite a recent flood of security and privacy failures, Yuan, Zoom’s CEO, appears to be listening to feedback and making a real effort to improve the service. “These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones,” Yuan wrote in his blog post.

Zoom admits calls got 'mistakenly' routed through China

Zoom Traffic Through China: Company Apologizes

I don't believe any of that. And any issues have already been fixed. And what software hasn't been compromised. Apple is the worst of all. I guarantee that for every 1 security fix that Apple does, there are 10 more that they won't fix.

You have to understand, you haters are your own worst enemies. The haters exaggerate and fabricate to such a huge extent, that when you may have a legitimate concern, it isn't believed. "Zoom is a plague"? Give me a break. Is this Zoom disaster with China still continuing? Why hasn't it reached mainstream news? Because even it was a "issue", it certainly hasn't destroyed the world yet. And how much data has been lost, compromised, etc? I still occasionally read the forum in hope of some intelligent posts. But those are getting further and further between. If you want to be believed, get rid of the haters!!

 

[BootsWalking]

I don't believe any of that. And any issues have already been fixed. And what software hasn't been compromised. Apple is the worst of all.

You have to understand, you haters are your own worst enemies. The haters exaggerate and fabricate to such a huge extent, that when you may have a legitimate concern, it isn't believed. "Zoom is a plague"? Give me a break. Is this Zoom disaster with China still continuing? Why hasn't it reached mainstream news? Because even it was a "issue", it certainly hasn't destroyed the world yet. And how much data has been lost, compromised, etc? I still occasionally read the forum in hope of some intelligent posts. But those are getting further and further between. If you want to be believed, get rid of the haters!!

You don't believe what ZOOM and its CEO said?

 

[ponzicoinbro]

Used it only once for a meeting. Or was it a seminar? Can’t remember.

We used Hangout the other times.

 

[CarAnalogy]

Ever since their security debacle a few years ago, I’ll only use Zoom on my iPhone or iPad which I presume are more secure. And never by choice under any circumstances.

Google, Apple, Microsoft, Slack, and several others are probably all kicking themselves and trying to figure out how they let Zoom become a verb right under their noses.

This one has to go into business school case studies. They all had video conferencing years before Zoom even existed in some cases, but they all (especially Apple) were too concerned with trying to lock users into their platform.