How the Zoom macOS installer does its job without you clicking ‘install’

(twitter.com)

796 points _Microft | 2 comments | 31 Mar 20 11:41 UTC | HN request time: 0.57s | source

Show context

danans ◴[31 Mar 20 15:23 UTC] No.22738381[source]▶

For those calling this a security vulnerability in MacOS, isn't this just using a GUI equivalent of "sudo"? There may be a decent argument that a consumer OS shouldn't offer such a sudo-like API to installers, but MacOS probably does this for legacy app support reasons.

IMO the better question in this case is why Zoom needs to be installed as admin on MacOS? After all, the mobile apps and chrome extension don't need those privileges.

replies(1): >>22742789 #

1. saagarjha ◴[31 Mar 20 21:25 UTC] No.22742789[source]▶

>>22738381 #

This is like the GUI equivalent of running "apt install zoom" and the installation script killing the APT process and then running amok with its root privileges.

replies(1): >>22751782 #

2. danans ◴[01 Apr 20 18:11 UTC] No.22751782[source]▶

>>22742789 (TP) #

> This is like the GUI equivalent of running "apt install zoom" and the installation script killing the APT process and then running amok with its root privileges.

So in that case it seems like there is perhaps an issue on both sides.

- I understand that the OS API to get root/admin privileges likely exists for legacy app install reasons, but why should any install script even be able to run amok with admin privileges? Shouldn't privileges granted by this API this is using be sandboxed in the extreme? Something this sensitive shouldn't be left to the honor system of the app developer.

- Independently, I still don't understand why Zoom needs admin privs on Mac when it clearly doesn't need them when installed as a browser extension. I'm using it just fine in Chrome all the time - no admin rights needed.

↑