Zoom macOS app quietly added back cs.disable-library-validation entitlement

Big thread the other day:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=32447339" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=32447339</a>

Copying back the removed comment:<p>“The appeal of injection a library into Zoom, revolves around its (user-granted) access to the mic and camera. Once our malicious library is loaded into Zoom’s process&#x2F;address space, the library will automatically inherit any&#x2F;all of Zooms access rights&#x2F;permissions!<p>This means that if the user as given Zoom access to the mic and camera (a more than likely scenario), our injected library can equally access those devices.”<p><a href="https:&#x2F;&#x2F;objective-see.org&#x2F;blog&#x2F;blog_0x56.html" rel="nofollow">https:&#x2F;&#x2F;objective-see.org&#x2F;blog&#x2F;blog_0x56.html</a>

There&#x27;s an even more ubiquitous app that also usually has mic and camera permissions and suffers from a similar (but technically unrelated) local code injection issue: Chrome. The bug is described here [0] and was closed as WontFix because &quot;if your machine is compromised, it&#x27;s beyond the scope of anything Chrome can do about it&quot;.<p>Even if you don&#x27;t use Chrome, you probably have at least a few Electron apps installed; they all suffer from the same issue.<p>The only logical conclusion is the macOS privacy model, TCC, is doomed. There&#x27;s always an app that has non-default TCC permissions and is vulnerable to some type of local code injection, and at that point any malicious app can also access those TCC-protected features.<p>[0] <a href="https:&#x2F;&#x2F;crbug.com&#x2F;1300121" rel="nofollow">https:&#x2F;&#x2F;crbug.com&#x2F;1300121</a>