Tag: mac
Zoom fixes security flaw that let attackers hijack your Mac
Zoom users with Macs can rest a little easier. Ars Technicareports Zoom has updated its Mac software to patch a vulnerability that let would-be intruders take control of systems. The video calling software’s auto-updater software not only had root-level access, but had a signature verification system that you could fool simply by giving your package a familiar file name. A hacker could force your app to downgrade or otherwise enable exploits.
Objective-See Foundation (OSF) creator and researcher Patrick Wardle first discovered the security hole, and disclosed it to Zoom in December last year. Zoom fixed that problem, but introduced another bug in the process. Zoom addressed that, too, but Wardle found still another flaw. The OSF founder discussed his findings at Def-Con last week. Zoom acknowledged the issue that day, and patched it afterward.
This isn’t the first time Zoom has grappled with security headaches, including for the Mac. In 2019, the company raced to fix a webcam hijack exploit that relied on a locally-created web server. Increased scrutiny of Zoom at the start of the COVID-19 pandemic in spring 2020 also prompted a full-scale review of the company’s practices. While that did lead to changes, it’s clear Zoom isn’t immune to missteps.
Update Zoom Now to Protect Your Mac from This Security Flaw
Older versions of Zoom could allow hackers to take over your macOS through a privilege escalation vulnerability. But the latest Zoom update (5.11.5) patches this flaw. If you use Zoom on your Mac, you should update the software now.
Read This Article on Review Geek ›
Zoom’s latest update on Mac includes a fix for a dangerous security flaw
Zoom has issued a patch for a bug on macOS that could allow a hacker to take control of a user’s operating system (via MacRumors). In an update on its security bulletin, Zoom acknowledges the issue (CVE-2022-28756) and says a fix is included in version 5.11.5 of the app on Mac, which you can (and should) download now.
Patrick Wardle, a security researcher and founder of the Objective-See Foundation, a nonprofit that creates open-source macOS security tools, first uncovered the flaw and presented it at the Def Con hacking conference last week. My colleague, Corin Faife, attended the event and reported on Wardle’s findings.
As Corin explains, the exploit targets the Zoom installer, which requires special user permissions to run. By…
Security researcher reveal Zoom flaws that could’ve allowed attackers to take over your Mac
Zoom’s automatic update option can help users ensure that they have the latest, safest version of the video conferencing software, which has had multiple privacy and security issues over the years. A Mac security researcher, however, has reported vulnerabilities he found in the tool that attackers could have exploited to gain full control of a victim’s computer at this year’s DefCon. According to Wired, Patrick Wardle presented two vulnerabilities during the conference. He found the first one in the app’s signature check, which certifies the integrity of the update being installed and examines it to make sure that it’s a new version of Zoom. In other words, it’s in charge of blocking attackers from tricking the automatic update installer into downloading an older and more vulnerable version of the app.
Wardle discovered that attackers could bypass the signature check by naming their malware file a certain way. And once they’re in, they could get root access and control the victim’s Mac. The Verge says Wardle disclosed the bug to Zoom back in December 2021, but the fix it rolled out contained another bug. This second vulnerability could have given attackers a way to circumvent the safeguard Zoom set in place to make sure an update delivers the latest version of the app. Wardle reportedly found that it’s possible to trick a tool that facilitates Zoom’s update distribution into accepting an older version of the video conferencing software.
Zoom already fixed that flaw, as well, but Wardle found yet another vulnerability, which he has also presented at the conference. He discovered that there’s a point in time between the auto-installer’s verification of a software package and the actual installation process that allows an attacker to inject malicious code into the update. A downloaded package meant for installation can apparently retain its original read-write permissions allowing any user to modify it. That means even users without root access could swap its contents with malicious code and gain control of the target computer.
The company told The Verge that it’s now working on a patch for the new vulnerability Wardle has disclosed. As Wired notes, though, attackers need to have existing access to a user’s device to be able to exploit these flaws. Even if there’s no immediate danger for most people, Zoom advises users to “keep up to date with the latest version” of the app whenever one comes out.
Mac Hacker’s Code Is So Good, Corporations Keep Stealing It
One of the central examples in Wardle’s case is a software tool called OverSight, which Wardle released in 2016. Oversight was developed as a way to monitor whether any macOS applications were surreptitiously accessing the microphone or webcam, with much success: it was effective not only as a way to find Mac malware that was surveilling users but also to uncover the fact that a legitimate application like Shazam was always listening in the background. […] But years after Oversight was released, he was surprised to find a number of commercial applications incorporating similar application logic in their own products — even down to replicating the same bugs that Wardle’s code had.
Three different companies were found to be incorporating techniques lifted from Wardle’s work in their own commercially sold software. None of the offending companies are named in the Black Hat talk, as Wardle says that he believes the code theft was likely the work of an individual employee, rather than a top-down strategy. The companies also reacted positively when confronted about it, Wardle says: all three vendors he approached reportedly acknowledged that his code had been used in their products without authorization, and all eventually paid him directly or donated money to the Objective-See Foundation. The Verge notes that Wardle’s cousin Josh Wardle created the popular Wordle game, which was purchased earlier this year by The New York Times.
Read more of this story at Slashdot.
Dropbox Plans to Release Mac App Beta With Full Support for macOS Monterey in Fourth Quarter
With the release of macOS 12.3 in March, Apple deprecated kernel extensions used by cloud storage services like Dropbox and OneDrive, resulting in users being unable to open online-only files stored on Dropbox or OneDrive in third-party apps after updating. The new version of Dropbox for Mac will include full support for opening online-only files, but the updated app has still yet to be released after several months.
If the latest timeframe promised by Dropbox is kept, the public beta for the new Mac app should be available around October to November, which is likely around the same time that Apple will publicly release macOS Ventura.
In the meantime, Dropbox users can continue to open online-only files on macOS Monterey and later by double clicking on them in the Finder app.
The full forum post reads as follows:
Hi everyone,
Thank you for reaching out. We hear your feedback and we’re working hard on this experience.
A public beta for full support of macOS will be available in early Q4. For now, you can still double-click to open files in Finder. Everything else is working as usual.
Your experience on PC devices, dropbox.com, and from the latest iOS and Android apps remains unaffected. You can find more information here: https://help.dropbox.com/installs-integrations/desktop/macos-12-monterey-support.
Please ensure you have turned on early releases and once the beta is available to you, you will receive a notification.
Thank you.
Dropbox previously said it would begin rolling out an updated version of its Mac app to beta testers in March, but development has evidently taken longer, leading to many complaints in a Dropbox forum thread about the matter.
This article, “Dropbox Plans to Release Mac App Beta With Full Support for macOS Monterey in Fourth Quarter” first appeared on MacRumors.com
Discuss this article in our forums
Shazam App for Mac Gains Apple Silicon Support, New Icon
The Shazam app for Mac is now using Apple’s universal binary so it runs natively on both Intel Macs and those that have Apple-designed chips inside.
Apple finalized its purchase of Shazam back in 2018, but the Mac app has received few updates since then, making this the most notable update since the acquisition.
The Shazam app adds an icon to the Mac’s menu bar that can be clicked to identify a song that is playing. The functionality is built into Siri so Mac users can access Shazam without having to install an app, but some may prefer an easy access menu bar app.
(Thanks, Aaron!)
This article, “Shazam App for Mac Gains Apple Silicon Support, New Icon” first appeared on MacRumors.com
Discuss this article in our forums
Batteries App Brings iOS 16’s New Battery Percentage Icon to the Mac
As on the iPhone, the battery percentage appears inside the battery icon on the Mac for a consistent appearance across iOS and macOS. The existing battery indicator on the Mac can be disabled in the System Settings app in the Battery menu.
Starting with the fifth developer beta of iOS 16, it is once again possible to view an iPhone’s battery percentage in the status bar without having to swipe down to open Control Center. The feature is available on most iPhones with a notch, with the exception of the iPhone 12 mini, iPhone 13 mini, standard iPhone 11, and iPhone XR. It’s possible that Apple may expand the icon to additional iPhones in later iOS 16 betas.
Apple had removed the ability to view battery percentage in the status bar when the iPhone X was released in 2017 due to the notch and only brought it back now.
Batteries for Mac is a useful app that lets you view battery percentages for an iPhone, iPad, Apple Watch, AirPods, Beats, and other Bluetooth devices in the macOS menu bar. The app can also provide low battery notifications for the devices on the Mac. The app is priced at $8.99 in the U.S. and is also available as part of the Setapp subscription bundle.
This article, “Batteries App Brings iOS 16’s New Battery Percentage Icon to the Mac” first appeared on MacRumors.com
Discuss this article in our forums