icetray - Fotolia
Zoom patched two zero-day vulnerabilities Thursday, shortly after a security researcher posted the flaws on his personal blog.
The first one allows a local user to gain root-level privileges on the macOS version of Zoom, via Zoom's recently discovered use of preinstallation scripts. Which, in short, automatically installs the app without the user needing to manually install it. The second macOS zero-day flaw allows an attacker to install malicious code that grants them control of the webcam and microphone.
In his initial blog post, Wardle, a formerly security engineer with the National Security Agency, didn't explain why he published the Zoom zero-day vulnerabilities without notifying the company or following responsible disclosure practices.
When SearchSecurity asked Zoom for comment yesterday, the company provided the following statement. "We are actively investigating and working to address these issues. We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue."
And in the hours since the Zoom zero days, the company fixed both of Wardle's flaws, as well as another vulnerability disclosed earlier this week, which allowed attackers on Windows to steal Windows login credentials and run programs through clicking a UNC link.
In a public message to users, Zoom founder and CEO Eric Yuan said the company would dedicate "the resources needed to better identify, address, and fix issues proactively." He pledged to improve Zoom's current bug bounty program, perform penetration testing and implement "a feature freeze, effectively (sic) immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
Despite heavily criticizing Zoom in his blog post, Wardle offered the company "kudos" on Twitter for their swift response in posting the patches.