IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers advertise critical Zoom Windows bug for $500,000

Two zero-days for Windows and MacOS are being sold, including an RCE flaw that paves the way for full PC takeover

Zoom security

Two critical vulnerabilities found in Zoom’s Windows and MacOS clients have been put up for sale by cyber criminals.

These zero-day flaws include a critical remote code execution (RCE) bug in the software’s Windows client that could allow an attacker to gain full control over the application. Hackers are marketing this particular vulnerability for $500,000, as reported by Motherboard.

This is in addition to a flaw in Zoom’s MacOS client, which isn’t an RCE bug and therefore less dangerous and more difficult to use in a real cyber attack, according to sources speaking with the publication.

The video conferencing software has received widespread attention from hackers in recent weeks given its meteoric rise in popularity and usage by both businesses and consumers.

Cyber criminals have also been keen to exploit the privacy and security storm that’s engulfed the company in recent weeks, which Zoom has recently made efforts to move past.

The increased interest in Zoom zero-days, which are unknown vulnerabilities in software or hardware that cyber criminals can exploit in attacks, chimes with the mass movement of workers and entire businesses to the platform.

“From what I've heard, there are two zero-day exploits in circulation for Zoom,” Netragard founder Adriel Desautels told Motherboard, which was corroborated by two additional anonymous sources.

“One affects OS X and the other Windows. I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered.”

The Windows zero-day is a “clean” RCE flaw, one of these sources added, which is ideal to be deployed in industrial espionage attacks. The vulnerability would allow hackers to access the app, although it would need to be combined with another bug exploit to access a victim’s entire machine.

The RCE bug may not appeal to all, and it's likely only useful for those conducting attacks that don't rely on stealth.

Zoom has made several changes in recent days in order to correct the path and restore a reputation that’s been soiled by persistent security issues. These have ranged from confused claims around end-to-end encryption, to a Facebook plugin that transmitted iOS users’ device data to the social network.

The company, for example, last week hired former Facebook chief security officer Alex Stamos as an external consultant. The company has also suspended development on the platform to free up staff and increase the number of those working on security and privacy fixes.

“Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” the company said in a statement to Motherboard. “To date, we have not found any evidence substantiating these claims.”

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Recommended

Escape the ransomware maze
Whitepaper

Escape the ransomware maze

23 Aug 2022
Twilio account breach result of sophisticated social engineering campaign
Security

Twilio account breach result of sophisticated social engineering campaign

9 Aug 2022
Over 200,000 DrayTek routers vulnerable to total device takeover
Security

Over 200,000 DrayTek routers vulnerable to total device takeover

3 Aug 2022
Data on 69 million Neopets users stolen and listed for sale on hacker forum
Security

Data on 69 million Neopets users stolen and listed for sale on hacker forum

21 Jul 2022

Most Popular

Why collaboration is key to digital transformation
Sponsored

Why collaboration is key to digital transformation

13 Sep 2022
Anonymous hacks Iranian government and state broadcasters
cyber attacks

Anonymous hacks Iranian government and state broadcasters

22 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022