Zoom for macOS Has a Couple of Dangerous Zero-Day Vulnerabilities

A couple of zero-day vulnerabilities found in the MacOS version of the Zoom video conferencing application could let attackers elevate their rights to root or to gain access to the microphone and camera.

Just a couple of days ago, Zoom removed the Facebook SDK functionality from its iOS app because it was sending back user data even if the user didn’t have a Facebook account. Now, researchers have identified a couple of vulnerabilities that affect the macOS version of the app.

After the worldwide COVID-19 pandemic sent millions of people home, Zoom registered a surge in the number of users. More and more employees, companies, students and others users choose Zoom for their daily lives. As expected, security researchers started to find vulnerabilities, some more dangerous than others.

The two zero-day vulnerabilities identified by Patrick Wardle from Jamf are pretty bad, although they do require physical access to the machine. The first issue had to do with Zoom using the deprecated AuthorizationExecuteWithPrivileges API that would let attackers elevate their rights to root.

“Ever wondered how the @zoom_usmacOS installer does its job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed),” said Felix Seele, a technical lead at VMRay.

Zoom used the method to allow installation of the application even by people who didn’t have the right to do so. The problem, of course, would be that the Zoom installer could be used as a piggyback for other malware.

Also, Zoom users would be prompted that the application needs access to the camera and microphone, which is good, but the app has a provision that lets potential attackers use that provision and gain access to the microphone and camera, allowing them to record meetings.

Now that the problems have been exposed to the public, it’s likely that both Apple and Zoom will soon close the loopholes that allowed this kind of behavior.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top