Hackers advertise critical Zoom Windows bug for $500,000

Two zero-days for Windows and MacOS are being sold, including an RCE flaw that paves the way for full PC takeover

Two critical vulnerabilities found in Zoom’s Windows and MacOS clients have been put up for sale by cyber criminals.

These zero-day flaws include a critical remote code execution (RCE) bug in the software’s Windows client that could allow an attacker to gain full control over the application. Hackers are marketing this particular vulnerability for $500,000, as reported by Motherboard.

Advertisement - Article continues below

This is in addition to a flaw in Zoom’s MacOS client, which isn’t an RCE bug and therefore less dangerous and more difficult to use in a real cyber attack, according to sources speaking with the publication.

The video conferencing software has received widespread attention from hackers in recent weeks given its meteoric rise in popularity and usage by both businesses and consumers.

Cyber criminals have also been keen to exploit the privacy and security storm that’s engulfed the company in recent weeks, which Zoom has recently made efforts to move past.

The increased interest in Zoom zero-days, which are unknown vulnerabilities in software or hardware that cyber criminals can exploit in attacks, chimes with the mass movement of workers and entire businesses to the platform.

“From what I've heard, there are two zero-day exploits in circulation for Zoom,” Netragard founder Adriel Desautels told Motherboard, which was corroborated by two additional anonymous sources.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

“One affects OS X and the other Windows. I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered.”

The Windows zero-day is a “clean” RCE flaw, one of these sources added, which is ideal to be deployed in industrial espionage attacks. The vulnerability would allow hackers to access the app, although it would need to be combined with another bug exploit to access a victim’s entire machine.

The RCE bug may not appeal to all, and it's likely only useful for those conducting attacks that don't rely on stealth.

Zoom has made several changes in recent days in order to correct the path and restore a reputation that’s been soiled by persistent security issues. These have ranged from confused claims around end-to-end encryption, to a Facebook plugin that transmitted iOS users’ device data to the social network.

The company, for example, last week hired former Facebook chief security officer Alex Stamos as an external consultant. The company has also suspended development on the platform to free up staff and increase the number of those working on security and privacy fixes.

“Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” the company said in a statement to Motherboard. “To date, we have not found any evidence substantiating these claims.”

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/hacking/355854/hackers-wreaking-havoc-on-googles-cloud-infrastructure
hacking

Hackers are wreaking havoc on Google’s Cloud infrastructure

1 Jun 2020
Visit/security/phishing/355810/zloader-malware-returns-as-a-coronavirus-phishing-scam
phishing

ZLoader malware returns as a coronavirus phishing scam

27 May 2020
Visit/security/hacking/355806/anarchygrabber-hack-steals-discord-tokens-ids-and-passwords
hacking

AnarchyGrabber hack steals Discord tokens, IDs and passwords

27 May 2020
Visit/security/hacking/355801/scammers-using-coronavirus-contact-tracing-in-hacking-attempt
hacking

Scammers leverage contact-tracing in hacking attempt

27 May 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020