Continuing with the trail of security issues, now there are two security vulnerabilities in the Zoom macOS Client. The vulnerabilities, with seemingly no patch yet, can allow elevated privileges to an attacker.
Security researcher Patrick Wardle has now come up with an interesting finding. As revealed through his recent post, Zoom macOS Client exhibits two major security flaws that need quick fixes.
The first of these is a privilege escalation flaw that can give root access to an attacker. According to the researcher Felix Seele, this relates to the Zoom macOS app installer behavior that requires no user input for installation.
As noted by Seele and endorsed by Wardle, Zoom client on macOS uses AuthorizationExecuteWithPrivileges API to install the app that executes a binary without authorization. It is pertinent to note that Apple has already deprecated this API due to privacy concerns. Yet, Zoom continued using this API on mac for which Eric Yuan, Zoom’s CEO, told Seele,
Nonetheless, regardless of the justification, this behavior potentially allows an attacker to gain elevated privileges on any target device simply by modifying the binary. According to Wardle,
The second vulnerability gives explicit access to an attacker of the target device’s camera and Mic. Hence, an attacker may even record Zoom meetings. As explained by Wardle,