Hackers advertise critical Zoom Windows bug for $500,000

Two zero-days for Windows and MacOS are being sold, including an RCE flaw that paves the way for full PC takeover

Two critical vulnerabilities found in Zoom’s Windows and MacOS clients have been put up for sale by cyber criminals.

These zero-day flaws include a critical remote code execution (RCE) bug in the software’s Windows client that could allow an attacker to gain full control over the application. Hackers are marketing this particular vulnerability for $500,000, as reported by Motherboard.

This is in addition to a flaw in Zoom’s MacOS client, which isn’t an RCE bug and therefore less dangerous and more difficult to use in a real cyber attack, according to sources speaking with the publication.

The video conferencing software has received widespread attention from hackers in recent weeks given its meteoric rise in popularity and usage by both businesses and consumers.

Cyber criminals have also been keen to exploit the privacy and security storm that’s engulfed the company in recent weeks, which Zoom has recently made efforts to move past.

The increased interest in Zoom zero-days, which are unknown vulnerabilities in software or hardware that cyber criminals can exploit in attacks, chimes with the mass movement of workers and entire businesses to the platform.

“From what I've heard, there are two zero-day exploits in circulation for Zoom,” Netragard founder Adriel Desautels told Motherboard, which was corroborated by two additional anonymous sources.

“One affects OS X and the other Windows. I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered.”

The Windows zero-day is a “clean” RCE flaw, one of these sources added, which is ideal to be deployed in industrial espionage attacks. The vulnerability would allow hackers to access the app, although it would need to be combined with another bug exploit to access a victim’s entire machine.

The RCE bug may not appeal to all, and it's likely only useful for those conducting attacks that don't rely on stealth.

Zoom has made several changes in recent days in order to correct the path and restore a reputation that’s been soiled by persistent security issues. These have ranged from confused claims around end-to-end encryption, to a Facebook plugin that transmitted iOS users’ device data to the social network.

The company, for example, last week hired former Facebook chief security officer Alex Stamos as an external consultant. The company has also suspended development on the platform to free up staff and increase the number of those working on security and privacy fixes.

“Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” the company said in a statement to Motherboard. “To date, we have not found any evidence substantiating these claims.”

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
NSA uncovers new "critical" flaws in Microsoft Exchange Server
servers

NSA uncovers new "critical" flaws in Microsoft Exchange Server

14 Apr 2021