Even after all fixes, Zoom still seems in hot water. Reportedly, hackers are selling two Zoom zero-days online for $500,000.
Zoom Zero-Days Sold Online
According to a Motherboard report, researchers found two zoom zero-days sold online for a hefty amount. These bugs exist in Zoom Clients for Windows and macOS. Since both the bugs are yet to receive a patch, the hackers can exploit them to compromise any target devices.
Presently, the researchers who found the bugs sold online cannot verify the authenticity for obvious reasons. Regarding one of these vulnerabilities affecting Windows, a source told Motherboard,
[The Windows zero-day] is nice, a clean RCE [Remote Code Execution]. Perfect for industrial espionage.
Exploiting this RCE allows an adversary to take control of the entire device rather than an app.
The other one affecting macOS isn’t an RCE. However, its exploitation is what supports hacking the whole device.
Exploiting the bugs requires an attacker to make a call to the target. This makes the exploits less useful for stealthy attacks.
Together, these bugs are available for sale for $500,000. Though, one of the sources knowing these exploits thinks they’re not worth the money asked. Rather the price should have been half of the current demand.
I don’t see how it makes sense compared to the concrete potential in terms of intelligence, I think it’s just kids who hope to make a bang.
Zoom Monitoring The Matter
In a statement, Zoom has confirmed that they are looking over the matter. Though, they confirm no active exploitation of such bugs yet.
Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them.
To date, we have not found any evidence substantiating these claims.
Adriel Desautels, founder of exploit acquisition platform Netragard, believes that the bugs will soon become worthless.
I don’t expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered.
Considering how actively Zoom is addressing all security concerns reported lately, we may expect a quick fix for the zero-days as well.
Recently, Zoom has announced more updates to its features for ensuring user security. These changes include variations in password requirements, random 11-digit Meeting IDs, password protection for cloud recordings, resumption of third-party file sharing, and the option to hide notification message preview on desktop chat.
Before that, they also announced the introduction of custom data routing for premium Zoom users.