Vulnerabilities discovered in popular video teleconferencing app Zoom could allow attackers to escalate privileges on a computer or allow access to users’ webcams and microphones, according to new research from Jamf Principal Security Researcher Patrick Wardle.
It’s just the latest security and privacy issue for Zoom, which has been served with a class-action lawsuit over its data sharing practices, and come under scrutiny from the New York Attorney General’s Office and the FBI.
Yet, if you’re already social distancing to avoid the spread of the coronavirus, the two vulnerabilities may not be a primary concern. In order for someone to exploit these zero-days, they would need to have physical access to a machine running Zoom’s MacOS client, according to Wardle.
“However if you value either your (cyber) security or privacy, you … should avoid using the macOS version of the app, as neither of these essential values seem to be part of their ethos,” Wardle writes.
Zoom is working to update its installer and client to address the vulnerabilities Wardle exposed, a Zoom spokesperson told CyberScoop.
“We are actively investigating and working to address these issues. We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue,” the spokesperson said.
The first vulnerability, which could make it possible for attackers or malware to escalate their privileges to complete control of the machine, derives in part from use of an insecure API.
“Apple clearly notes that the ‘AuthorizationExecuteWithPrivileges’ API is deprecated and should not be used. Why? Because the API does not validate the binary that will be executed (as root!) …meaning a local unprivileged attacker or piece of malware may be able to surreptitiously tamper or replace that item in order to escalate their privileges to root (as well),” Wardle writes.
The second vulnerability could allow someone to insert malicious code so that the application shares access to the webcam and microphone with attackers.
“Unfortunately, Zoom has (for reasons unbeknown to me), a specific ‘exclusion’ that allows malicious code to be injected into its process space, where said code can piggy-back off Zoom’s (mic and camera) access,” Wardle writes.
Through this mechanism, attackers could possibly record Zoom meetings or access the microphone or camera whenever they want if they load the right kind of malicious library, without users ever knowing, according to Wardle.
“Once our malicious library is loaded in Zoom’s process/address space, the library will automatically inherit any/all of Zooms access rights/permissions,” Wardle writes.
This is the second time research has uncovered issues with Zoom’s relationship with cameras. Last year, Jonathan Leitschuh, a software engineer at Gradle, uncovered how Zoom could allow external parties to activate user cameras without permission.