2 min read

Zoom for macOS Has a Couple of Dangerous Zero-Day Vulnerabilities

Silviu STAHIE

April 02, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Zoom for macOS Has a Couple of Dangerous Zero-Day Vulnerabilities

A couple of zero-day vulnerabilities found in the MacOS version of the Zoom video conferencing application could let attackers elevate their rights to root or to gain access to the microphone and camera.

Just a couple of days ago, Zoom removed the Facebook SDK functionality from its iOS app because it was sending back user data even if the user didn”t have a Facebook account. Now, researchers have identified a couple of vulnerabilities that affect the macOS version of the app.

After the worldwide COVID-19 pandemic sent millions of people home, Zoom registered a surge in the number of users. More and more employees, companies, students and others users choose Zoom for their daily lives. As expected, security researchers started to find vulnerabilities, some more dangerous than others.

The two zero-day vulnerabilities identified by Patrick Wardle from Jamf are pretty bad, although they do require physical access to the machine. The first issue had to do with Zoom using the deprecated AuthorizationExecuteWithPrivileges API that would let attackers elevate their rights to root.

“Ever wondered how the @zoom_usmacOS installer does its job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed),” said Felix Seele, a technical lead at VMRay.

Zoom used the method to allow installation of the application even by people who didn”t have the right to do so. The problem, of course, would be that the Zoom installer could be used as a piggyback for other malware.

Also, Zoom users would be prompted that the application needs access to the camera and microphone, which is good, but the app has a provision that lets potential attackers use that provision and gain access to the microphone and camera, allowing them to record meetings.

Now that the problems have been exposed to the public, it”s likely that both Apple and Zoom will soon close the loopholes that allowed this kind of behavior.

Here at Bitdefender we focus on keeping your devices protected from malicious activity and threats of all kinds. Now more than ever, you need autonomy and safety as you reach the world via your internet-enabled devices. That”s why we have extended the trial for our best security suite, ensuring that you can take care of your family”s devices for up to 90 days. If you”re already set up, why not make an unexpected gift to your loved ones who might not be aware of emerging cyber threats?

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read