Before you sign in to Zoom to start your next video call, take a few minutes before signing in to update your app. Zoom recently released a security patch for a major hole that could allow a hacker to take over your entire machine.

The vulnerability, discovered by Patrick Wardle of the Objective-See Foundation, concerns Zoom’s automatic updater, which works as a root user and does not require a user password. When the updater is run, it checks if the software updates are signed by Zoom, but Wardle found that it only checked if the file has the same name as the signing certificate. A hacker could then use another package with the same name as the certificate to gain access to the Mac.

Wardle presented his findings at the DefCon event last week, and his presentation can be viewed online. Zoom responded by releasing the 5.11.5 (9788) update, which fixes the bug, but it’s actually the second attempt at a fix. In December, Wardle told Zoom about the vulnerability and the company released a fix, but the fix had a bug that made the vulnerability still effective.

Zoom has a checkered security history. In the past, it had issues with unauthorized microphone access, lack of encryption, and meetings being invaded by unauthorized users. Zoom has fixed those issues with updates.

Update 18-8-22: Apparently the 5.11.5 (9788) update did not fully resolve the issue. Zoom has released another update that seems to provide a fix. (Third time is the charm?) Update 5.11.6 (9098) is now available.

Zoom may update automatically when you launch the app, but it may not install the latest version (this happened to me), which is 5.11.6 (9098). To check the version, start Zoom and click zoom.us > About Zoom. If you do not have the latest version, you will need to update it manually. Here’s how.