Categories
Security

Zoom’s latest update on Mac includes a fix for a dangerous security flaw

Zoom has issued a patch for a bug on macOS that could allow a hacker to take control of a user’s operating system (via MacRumors). In an update on its security bulletin, Zoom acknowledges the issue (CVE-2022-28756) and says a fix is included in version 5.11.5 of the app on Mac, which you can (and should) download now.

Patrick Wardle, a security researcher and founder of the Objective-See Foundation, a nonprofit that creates open-source macOS security tools, first uncovered the flaw and presented it at the Def Con hacking conference last week. My colleague, Corin Faife, attended the event and reported on Wardle’s findings.

As Corin explains, the exploit targets the Zoom installer, which requires special user permissions to run. By leveraging this tool, Wardle found that hackers could essentially “trick” Zoom into installing a malicious program by putting Zoom’s cryptographic signature on the package. From here, attackers can then gain further access to a user’s system, letting them modify, delete, or add files on the device.

“Mahalos to Zoom for the (incredibly) quick fix!” Wardle said in response to Zoom’s update. “Reversing the patch, we see the Zoom installer now invokes lchown to update the permissions of the update .pkg, thus preventing malicious subversion.”

You can install the 5.11.5 update on Zoom by first opening the app on your Mac and hitting zoom.us (this might be different depending on what country you’re in) from the menu bar at the top of your screen. Then, select Check for updates, and if one’s available, Zoom will display a window with the latest app version, along with details about what’s changing. From here, select Update to begin the download.



Repost: Original Source and Author Link

Categories
Security

Zoom’s new security feature will let you stop ‘Zoombombers’ in their tracks

Zoom will now let you temporarily pause meetings so you can kick out “Zoombombers” or disruptive individuals, the company announced in a blog post.

As Zoom usage skyrocketed during the pandemic, pranksters and hackers found ways to invade Zoom calls and display shocking videos and disruptive content, a practice that has become known as “Zoombombing.” With Zoom’s new security feature, you’ll be able to suspend a meeting to block bad content from being shown and also report the Zoombomber to Zoom.

To suspend a meeting, click the Security icon while on a call and then click “Suspend Participant Activities.” When you do, all video, audio, in-meeting chat, annotations, screen sharing, and recording will be suspended and all breakout rooms will end, which should shut down the Zoombomber’s activity. From there, Zoom will ask the host if they want to report a user, and if they do, that user will be ejected from the meeting and Zoom’s security team will be notified.

Zoom says the new feature is being enabled by default for all free and paid users and is available on the Zoom clients for Mac, PC, and Linux, as well as Zoom’s mobile apps. I should note that I wasn’t able to see the feature on Zoom on my work MacBook Pro, but I suspect that’s due to my IT settings.

In April, Zoom announced a 90-day feature freeze to fix privacy and security issues on the platform that came to light following the massive surge in users relying on it during the pandemic. Many of Zoom’s resulting improvements, such as turning waiting rooms on by default for basic, single-license Pro, and education accounts, could help make it harder for Zoombombers to infiltrate meetings.

Repost: Original Source and Author Link

Categories
Security

Zoom’s end-to-end encryption has arrived

Zoom’s end-to-end encryption (E2EE) has arrived, letting both free and paid users secure their meetings so that only participants, not Zoom or anyone else, can access their content. Zoom says E2EE is supported across its Mac, PC, iOS, and Android apps, as well as Zoom Rooms, but not its web client or third-party clients that use the Zoom SDK.

E2EE has launched in technical preview, which means Zoom is asking for feedback on the feature for 30 days. However, the company says that E2EE will continue to be available after this period. Instructions on how to enable it can be found in Zoom’s help center.

Zoom has previously offered encryption for its calls, but the data was only encrypted between each meeting participant and Zoom’s servers, rather than being end-to-end encrypted between participants. Once E2EE is enabled, you can check Zoom is using the more secure kind of encryption using the green shield at the top left of a meeting window. The shield will show a padlock rather than a checkmark if the meeting is encrypted end-to-end.

Although E2EE meetings are more secure, they don’t work with a few of Zoom’s features. These include its cloud recording, live transcription, polling, meeting reactions, and join before host features. Participants also won’t be able to join using “telephone, SIP/H.323 devices, on-premise configurations, or Lync/Skype clients,” as Zoom says these can’t be end-to-end encrypted.

Zoom’s E2EE meetings support a maximum of 200 participants. That won’t affect users on Zoom’s Basic or Pro plans, which max out at 100 participants, but it could be a problem for Business or Enterprise subscribers which would otherwise allow for up to 300 or 500 participants.

End-to-end encryption is available for both free and paid users, but Zoom says free accounts will need to verify their phone number using SMS and also need a valid billing option associated with their account. Initially Zoom said end-to-end encryption wouldn’t be available for free users to prevent the service from being used for unlawful activity, but the company quickly backtracked and announced it would be available for everyone later that month.

This initial launch is just the first of four phases Zoom is planning for its end-to-end encryption offering. The next phase, which is scheduled to include better identity management and support for single sign-on, is currently planned to launch next year.

Repost: Original Source and Author Link