Apple: Zoom updates macOS installer to remove malware-like exploits

Ex-NSA hacker drops new zero-day doom for Zoom

A researcher discovered two new flaws in video conferencing app Zoom that allow hackers to hijack users' webcam and their microphone. Under the right circumstances, an attacker exploiting the flaw could escalate their privileges within the system and gain full root access to a device's underlying operating system, making it easier to install malware or other malicious code, the researcher notes. The two flaws have emerged as the platform is under an increased level of scrutiny over security measures as a global movement towards working from home occurs.

Yuan acknowledged that the huge influx of new users, including smaller businesses as well as consumers looking to connect with friends and family, has put stress on the platform and led to the detection of security vulnerabilities.

Patrick Wardle, a former NSA hacker and now principle security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch. The flaws stem from the Zoom installer's use of AuthorizationExecuteWithPrivleges application programming interface (API).

Separately, BleepingComputer reported late Tuesday on a security flaw in the Windows version of Zoom that may allow hackers to target users remotely.

'However if you value either your (cyber) security or privacy, you may want to think twice about using (the macOS version of) the app'. But Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has.

Zoom told iTnews that it will take care of both vulnerabilties, but didn't provide a time frame for fixes.

Kiwi security expert Daniel Ayers has questioned why our security agencies have approved the use of Zoom for our Prime Minister and Cabinet to discuss information classed as restricted.

Covid-19 coronavirus: Why is PM using Zoom amid sharp questions about its security?

Hi @zoom_us & @NCSC - here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. Zoom, like any app that needs the webcam and microphone, first requires consent from the user. In an update released on March 27, the company removed the app's ability to send data to Facebook. The data contains an advertiser tag, which is assigned to a user's device and places ads with the company.

Meanwhile, the Federal Bureau of Investigation issued a warning about "Zoom Bombing", where third parties were entering Zoom meetings and causing disruptions.



Other news