Skip to main content

Zoom installer does a stupid

> When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom

> But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test — so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege


2 people reshared this

Jitsi meet and tromjaro, why to suffer if you can enjoy?
Considering this was the company saying their product was E2E encrypted and finally had to admit it was only transport encryption (in simple terms: https) – is anyone surprised? I'm just surprised they're still around and widely used. Should have gone down the sink long ago…
oh nobody is surprised. It's still worth documenting their on-going ineptitude.