Posted on 07-11-2019 02:52 PM
I know there's another thread on Zoom, but I want to ask specifically about the design of their installer package. We opened it up to see what it did, and I don't know if I have ever seen a package like this. First of all, it will run without requesting a username or password. It has no payload like a normal package. Instead, it is a series of scripts and 7z compressed files. While it appears to be signed and notarized, it also seems to me like these decisions are ways around some of Apple's security features like the TCC prompts. Has anyone else inspected this package with something like Suspicious Package? Am I just being paranoid, or does it seem like it raises some red flags?
Posted on 07-12-2019 06:24 AM
Before I deployed the patched Zoom app, I downloaded it myself and ran the .PKG, the installer window opened with no prompts and closed after a few seconds and then Zoom opened, it was also indeed stored in /Applications rather than running locally. I instead downloaded the package for IT admins.
Looking at the base package with Suspicious Package, there are 2 scripts that run upon opening the installer. One is a preinstall and the other is called "runwithroot" which does the actual app drop in /Applications
Posted on 07-12-2019 07:20 AM
it also seems to me like these decisions are ways around some of Apple's security features like the TCC prompts.
Nail hit squarely on head. :)