2

Update Zoom For Mac Now To Avoid Root-Access Vulnerability - Slashdot

 2 years ago
source link: https://it.slashdot.org/story/22/08/15/1945242/update-zoom-for-mac-now-to-avoid-root-access-vulnerability
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Update Zoom For Mac Now To Avoid Root-Access Vulnerability

Do you develop on GitHub? You can keep using GitHub but automatically sync your GitHub releases to SourceForge quickly and easily with this tool so your projects have a backup location, and get your project in front of SourceForge's nearly 30 million monthly users. It takes less than a minute. Get new users downloading your project releases today!
×
If you're using Zoom on a Mac, it's time for a manual update. The video conferencing software's latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers, granting escalated privileges and control of the system. From a report: The vulnerability was first discovered by Patrick Wardle, founder of the Objective-See Foundation, a nonprofit Mac OS security group. Wardle detailed in a talk at Def Con last week how Zoom's installer asks for a user password when installing or uninstalling, but its auto-update function, enabled by default, doesn't need one. Wardle found that Zoom's updater is owned by and runs as the root user. It seemed secure, as only Zoom clients could connect to the privileged daemon, and only packages signed by Zoom could be extracted. The problem is that by simply passing the verification checker the name of the package it was looking for ("Zoom Video ... Certification Authority Apple Root CA.pkg"), this check could be bypassed. That meant malicious actors could force Zoom to downgrade to a buggier, less-secure version or even pass it an entirely different package that could give them root access to the system.

Everybody seems to want to do this now and it drives us IT nerds nuts. Multi-user OSes with admin rights have been around for how long now? And we want to just give software packages admin rights because reasons? WTF?

We've got CAD software in the office that's insisting the user MUST have full admin rights to even run the software. Why? What does that software need admin rights for? Admin rights to a directory for temp writing? Sure, whatever. But full admin rights just to start up? What kinda garbage are they trying to pull?

  • Re:

    There's a way to fix your problem: Adjust the application manifest. Export the manifest, edit the.manifest XML file, change "requireAdministrator" to "asInvoker", reimport the manifest, delete any code signing certificates in the executable, and fix up the executable checksum. There are a number of very good command-line tools out there that can safely modify files in the PE file format (e.g. Microsoft Visual Studio has a few useful tools). It's entirely likely that the CAD software will function just

    • Re:

      I can understand why an installer wants admin rights. If it is being installed for all users, then admin rights are required.
      That is nonsense, even on Windows.

      If it is being installed for a single user, admin rights might still be required (e.g. if there are dependencies on a system service even if the application itself will only be used by one user).
      No idea about that.

      Installing software packages on Linux require sudo rights.
      That is nonsense.
      That is only required for software that "must" be installed a

  • Re:

    In the olden days that was because it needed to access a hardware copy-protection dongle or some other weird software copy-protection scheme that also required admin access. No other reason I can recall.

  • Re:

    It probably has to do with self-updating, which is functionality which shouldn't even exist — the OS should be handling invoking updates, and no one else. Real operating systems have a facility built into them for handling this sort of thing, and real developers utilize it.

    On Windows it's common to have to have Admin rights for games because they self-update, and they need those rights to be able to silently install runtime packages. So instead of being prompted only when an update happens, they want

    • macOS, the operating system named in the featured article, has such a facility called the Mac App Store. However:

      1. Apple charges developers a fee for using the Mac App Store to distribute updates. The widely cited figure is 99 USD per year plus 30 percent of related revenue.
      2. Apple puts all updates distributed through the Mac App Store through a review process that can delay release of said updates by days or weeks.
      3. macOS runs all applications whose updates are distributed through the Mac App Store in a

      • Re:

        Yeah, I don't dick with Apple because of their proprietary attitude towards the hardware, for the same reason that I use Windows only for gaming and do everything real in Linux. Linux may have shitty package management (RPM is hell, while apt is missing basic features that even SunOS4 had like repairing permissions) but at least it exists, and anyone* can make their own repo.

        * Unless you're talking about snap, but fuck snap


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK