- It took eight months to fix a Zoom exploit that allowed malware to be installed on the Mac.
- Many of us need video conferencing apps for our work but don’t have an IT department at home to protect us.
- Luckily, there are some good options for staying safe while zooming.
A rookie mistake in Zoom’s Mac installer created a massive security hole that allowed hackers to do just about anything with your computer.
Zoom has a history of security and trust flaws, from installing secret web servers on your computer to lying about the number of daily active users. Well, Mac security researchers Patrick Wardel has discovered an error in the installer this makes you vulnerable to exploitation. Given its track record, it seems likely Zoom could face similar issues in the future, so how should you protect yourself?
“Perhaps the marketplace will penalize Zoom for the security breach, but this sheds light on a much larger issue in the cyber threat space. Most ‘regular users’ (read: consumers) use antivirus software. What they don’t realize, however, is that these legacy technologies aren’t keeping pace with the rapid evolution of threats and exploits deployed by cybercriminals,” Chase Norlin, cybersecurity expert and CEO at Transmosis, told Lifewire via email.
Zoom has become the standard way to video confer in the past few years, largely because it’s so easy to set up and join a call. But its epic rise has been littered with privacy, trust, and security breaches. The latest works like this.
When installing Zoom on your Mac, you need to enter an admin password to give the installer elevated privileges to add files to deep parts of the system. Wardle discovered that Zoom retains these privileges even after installation to install future patches without asking for your password again.
Just uninstall all meeting apps from your computer. Use the browser version of the meeting client. They work fine now.
That would just be a breach of trust or at least a breach of expectations. However, the installer also failed to properly verify and identify subsequent Zoom patches. This means malware could disguise itself as a Zoom update and gain full access to install itself.
Wardle told Verge that he first reported this vulnerability in December last year. Zoom’s fix introduced another bug that enabled a similar exploit that took eight months to fix. This is a big concern for people who need to use the software. How do we know the current version of Zoom doesn’t contain even more malware and exploits?
Many of us just can’t stop using Zoom. You may need it for meetings while working from home, and it’s just too prevalent to ignore completely. Fortunately, there are some ways to protect yourself.
Regarding Zoom specifically, the best way to avoid security vulnerabilities is to not install the desktop software. One of Zoom’s best features is that anyone can join a call by simply clicking a link and connecting through their web browser.
“Just uninstall all meeting apps from your computer. Use the browser version of the meeting client. They work fine now. Apps run things in the background, and I’m not even going to get into the stupid things they waste CPU time on, 99.9% of the time I don’t even use them,” said Export of Security and Computer Monitoring SwitchOnSecurity on Twitter.
If you want to use your Mac or PC for Zoom, this is the way to go. While a browser-based app may have its own security issues, they don’t allow root-level rogue installations. You might not get all the features, but if you’re just making video calls then it’s fine.
If you have an iPhone or iPad, you can work with it. The iPhone is probably undersized, but a regular or oversized 12.9-inch iPad is ideal, with the bonus of likely having a better camera than the one in your MacBook, iMac, or Studio Display.
Thanks to the way the App Store works and the fact that all apps can only run in their own “sandbox” that isolates them from the rest of the system, they are more secure than desktop apps, especially desktop apps that require an installer is spreading parts of itself deep in your system.
While Mac users have generally never had to worry about viruses, once you enter your password you lose much of the built-in protection. It pays to be very, very suspicious of any software that requires a password for installation, even if it’s a legitimate app. If you don’t trust the developer or their reputation, look elsewhere.
Thanks for letting us know!
Tell us why!
Not enough details
Hard to understand