Zoom Remote Code Execution Security Vulnerability Found For Windows And MacOS
With everyone using Zoom
for both work and school, a vulnerability in the software
can be especially concerning. This week, researchers competing in a zero-day hunting competition found a bug in Zoom that allowed them to remotely execute code without any necessary action from the target. This find netted the researchers a sum of cash and the concern of Zoom customers everywhere.
Pwn2Own is a zero-day hunting contest organized by the Zero Day Initiative, which brings white hat hackers together to make software better by finding vulnerabilities. The multi-day event uncovered many issues in software, but the most interesting one that could have the most impact is with Zoom.
We're still confirming the details of the #Zoom exploit with Daan and Thijs, but here's a better gif of the bug in action. #Pwn2Own #PopCalc pic.twitter.com/nIdTwik9aW
— Zero Day Initiative (@thezdi) April 7, 2021
As shown in the tweet above, all an attacker has to do is call a target and wait to get remote code execution
, as shown by the calculator launching. Purportedly this uses a three-bug attack chain that causes the RCE, but it is unknown what exactly was happening behind the scenes. This finding led the researchers to get a $20,000 prize for their work and a pat on the back from Zoom.
Since the vulnerability was discovered and confirmed, it has been reported that this attack works on Windows
and macOS but has not yet been tested on mobile platforms. In a statement to Malwarebytes
, Zoom explained that it is now working to mitigate the issue across the board, thanks to the researchers. It also reported that “the attack must also originate from an accepted external contact or be a part of the target’s same organizational account,” so it likely will not be a widespread issue in the future. In any case, it is still cool to see things like this pop up, so let us know what you think of this vulnerability find in the comments below.