Hackers advertise critical Zoom Windows bug for $500,000

Two zero-days for Windows and MacOS are being sold, including an RCE flaw that paves the way for full PC takeover

Two critical vulnerabilities found in Zoom’s Windows and MacOS clients have been put up for sale by cyber criminals.

These zero-day flaws include a critical remote code execution (RCE) bug in the software’s Windows client that could allow an attacker to gain full control over the application. Hackers are marketing this particular vulnerability for $500,000, as reported by Motherboard.

This is in addition to a flaw in Zoom’s MacOS client, which isn’t an RCE bug and therefore less dangerous and more difficult to use in a real cyber attack, according to sources speaking with the publication.

The video conferencing software has received widespread attention from hackers in recent weeks given its meteoric rise in popularity and usage by both businesses and consumers.

Cyber criminals have also been keen to exploit the privacy and security storm that’s engulfed the company in recent weeks, which Zoom has recently made efforts to move past.

The increased interest in Zoom zero-days, which are unknown vulnerabilities in software or hardware that cyber criminals can exploit in attacks, chimes with the mass movement of workers and entire businesses to the platform.

“From what I've heard, there are two zero-day exploits in circulation for Zoom,” Netragard founder Adriel Desautels told Motherboard, which was corroborated by two additional anonymous sources.

“One affects OS X and the other Windows. I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered.”

The Windows zero-day is a “clean” RCE flaw, one of these sources added, which is ideal to be deployed in industrial espionage attacks. The vulnerability would allow hackers to access the app, although it would need to be combined with another bug exploit to access a victim’s entire machine.

The RCE bug may not appeal to all, and it's likely only useful for those conducting attacks that don't rely on stealth.

Zoom has made several changes in recent days in order to correct the path and restore a reputation that’s been soiled by persistent security issues. These have ranged from confused claims around end-to-end encryption, to a Facebook plugin that transmitted iOS users’ device data to the social network.

The company, for example, last week hired former Facebook chief security officer Alex Stamos as an external consultant. The company has also suspended development on the platform to free up staff and increase the number of those working on security and privacy fixes.

“Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” the company said in a statement to Motherboard. “To date, we have not found any evidence substantiating these claims.”

Featured Resources

Become a digital service provider

How to transform your business from network core to edge

Download now

Optimal business results with the cloud

Evaluating the best approaches to hybrid cloud adoption

Download now

Virtualisation that enables choices, not compromises

Harness the virtualisation technology that's right for your hybrid infrastructure

Download now

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Recommended

Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021
Cyber criminals bypassing MFA to access cloud service accounts
two-factor authentication (2FA)

Cyber criminals bypassing MFA to access cloud service accounts

14 Jan 2021
Capcom data breach adds another 40,000 estimated victims
data breaches

Capcom data breach adds another 40,000 estimated victims

13 Jan 2021
Website problems slow coronavirus vaccine rollout
hacking

Website problems slow coronavirus vaccine rollout

6 Jan 2021

Most Popular

How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
The fate of Parler exposes the reality of deregulated social media
Policy & legislation

The fate of Parler exposes the reality of deregulated social media

14 Jan 2021
Should IT departments to call time on WhatsApp?
communications

Should IT departments to call time on WhatsApp?

15 Jan 2021