How the Zoom macOS installer does its job without you clicking ‘install’

(twitter.com)

796 points _Microft | 1 comments | 31 Mar 20 11:41 UTC | HN request time: 0.001s | source

Show context

manigandham ◴[31 Mar 20 14:48 UTC] No.22738023[source]▶

1) If Zoom can do this then it's a MacOS security bug.

2) UX matters. Users don't care about the technical details, they want a smooth experience and that can be the difference between a billion-dollar business or a failed startup. And yes the desktop version is more stable than the web-based UI.

3) Malware is defined by what it does, not how it's installed.

replies(3): >>22738241 #>>22738342 #>>22741312 #

Gaelan ◴[31 Mar 20 15:19 UTC] No.22738342[source]▶

>>22738023 #

I mean, it's not really a security bug. Installer.app displays a dialog box that says "Hey, this package wants to run arbitrary code to check if it's compatible with your system. Is that OK?" The user is explicitly opting into the code execution. Zoom's "compatibility check" installs the app and kills the installer window. That's certainly unexpected behavior, but I don't think it's an exploit in any real sense.

While normally I'd object to running arbitrary code with just an easily-skippable dialog as confirmation, but I think it's OK in this case where the expectation was that we're installing their software anyway.

replies(3): >>22738808 #>>22742516 #>>22742693 #

1. manigandham ◴[31 Mar 20 15:56 UTC] No.22738808[source]▶

>>22738342 #

You're right, it's more of a design issue. More explicit permissions on altering the Applications folder could help. Then again, most people want an easier install so this is really for those who want that extra control.

↑