Zoom installer does a stupid

> When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom

> But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test — so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege


@rysiek Considering this was the company saying their product was E2E encrypted and finally had to admit it was only transport encryption (in simple terms: https) – is anyone surprised? I'm just surprised they're still around and widely used. Should have gone down the sink long ago…

@IzzyOnDroid oh nobody is surprised. It's still worth documenting their on-going ineptitude.

Brilliant. How could you accidentally program that, I wonder 🤔

@rysiek That's good ol capitalism at work! We can thank Google, Microsoft, Apple and above all else, whoever was the first person to make copyright so long of a length that likely stuff will still be copyrighted a century later from long dead founders such as Walt Disney!

This is why we can have proprietary software as the common! Software so secure as a plain ordinary lock on a door from the 1900s!

Kind of reminds me of the ol saying, what else could possibly go wrong!

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!