The app itself had entitlements to circumvent the hardened runtime on the Mac:
However the com.apple.security.cs.disable-library-validation entitlement is interesting. In short it tells macOS, “hey, yah I still (kinda?) want the “Hardened Runtime”, but please allow any libraries to be loaded into my address space” …in other words, library injections are a go!
Zoom responded fairly quickly with an update:
- Resolved an issue where a malicious party with local access could tamper with the Zoom installer to gain additional privileges to the computer
- Resolved an issue where a malicious party with local access could gain access to a user’s webcam and microphone
So now let’s check the entitlements again:
com.apple.security.cs.disable-library-validation is gone, closing the security hole.
I still don’t trust it, so will be checking out alternatives.