←back to thread

How the Zoom macOS installer does its job without you clicking ‘install’

(twitter.com)
796 points _Microft | 3 comments | 31 Mar 20 11:41 UTC | HN request time: 0.421s | source
Show context
xenophonf ◴[31 Mar 20 13:03 UTC] No.22737073[source]
I missed the part where Zoom is holding people's computers for ransom, or formatting the drive, or exfiltrating sensitive information to criminals or state intelligence officers, or mining bitcoin, or other similarly malicious behaviors.

An admin can write to /Applications without privilege escalation? That's a macOS bug. If the operating system didn't rely on an 80s-style put-all-the-executables-in-one-place app launch paradigm, maybe there'd be less incentive for app developers to ignore the per-user Applications folder that macOS supports.

An app can spoof or abuse privilege escalation dialogs? That's because macOS doesn't implement an Orange Book-style Trusted Path. It's why Windows and similar operating systems have secure attention keys in the first place.

So yeah, Zoom is (ab)using flaws in macOS to get itself installed with minimum fuss, but it isn't doing it with evil intent. They fixed past issues; they'll probably fix this. Meanwhile, these long-standing macOS security flaws won't be addressed by Apple, who has a terrible track record about these things except when it lets people bypass their App Store.

P.S. As an enterprise customer, I'm much more worried about end-to-end encryption in Zoom, and the apparent lack thereof. I'm also not sure how that compares with other video conferencing services.

replies(3): >>22737135 #>>22737296 #>>22737360 #
rainforest ◴[31 Mar 20 13:11 UTC] No.22737135[source]
> So yeah, Zoom is (ab)using flaws in macOS to get itself installed with minimum fuss, but it isn't doing it with evil intent.

But... why? What other software vendors look at the OS security model from a viewpoint of 'how do we bypass this as much as possible?' If it's not evil intent, what is it, incompetence?

replies(2): >>22737156 #>>22738561 #
1. javagram ◴[31 Mar 20 13:14 UTC] No.22737156[source]
It’s about making your software as easy to use as possible.

Users don’t like UAC or having to click through a dozen dialogs. They just want to get into their virtual meeting.

replies(2): >>22737196 #>>22738183 #
2. my123 ◴[31 Mar 20 13:18 UTC] No.22737196[source]
Then Zoom should just make them join the meeting via the web browser!

Zoom does this somehow and doesn't make joining from the web frictionless when they pretty much could have.

3. lonelappde ◴[31 Mar 20 15:04 UTC] No.22738183[source]
Zoom could be honest about what it doing instead of going to extreme lengths to conceal it