Researcher Dropped Two Zero-days for Zoom

As the whole world is surviving from Coronavirus Pandemic, and almost every business house and its workers are working from homes. In this situation, remote accessing tools and remote conferencing applications are very much in use.

Zoom, a popular video and web conferencing tool is getting more attraction for its purpose and also for its security concerns. Regarding the security couple of researcher found a bug on Zoom that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.

 A former NSA hacker, Patrick Wardle has also found two zero-days bugs on Zoom which can be launched by a local attacker, have physical access to the vulnerable machine. Once the bug exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.

First Bug: Silently Installing Malicious App

Wardle said Zoom install its Mac app on users machine without any users interaction and this function can be exploited by attackers by injection malicious code on Zoom installer further installing a malicious application on users Mac machine (which don't need users permission), which leads to gain high user privilege (root) on the machine.
The root-level privileges give an attacker full control over the Mac operating system.

Second Bug: Full Control over Webcam, and microphone