Malware, Vulnerability Management

Bug brokers put two Zoom zero-days on the market


Software vulnerability brokers are reportedly in possession of two zero-day Zoom video conferencing app exploits – one affecting Windows clients and the other impacting OS X clients – and they are looking to sell.

The Zoom for Windows vulnerability is a remote code execution bug that the hackers are offering for a hefty sum of $500,000, Motherboard/Vice has reported, citing three separate sources. The MacOs is not an RCE flaw and therefore is less critical and more difficult to leverage in an attack.

The Windows exploit reportedly would enable unauthorized access to the Zoom app, potentially allowing malicious actors, pranksters or corporate spies to join a call, albeit not in a particularly covert manner. Access to the machine running the app would require a second bug used in conjunction.

Zoom, of course, is in high demand as the world's workforce largely works from home while riding out the COVID-19 pandemic. This growing trend has shined a spotlight on deficiencies in Zoom app security, which has led to so-called Zoom bombings.

Two of Motherboard's sources are anonymous, but a third was identified as Netragard, a pen testing and red teaming company that once sold and traded zero-day bugs. Adriel Desautels, founder of the company, reportedly said, “I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered.” None of the sources has seen the actual exploit code.

“Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” the company reportedly said in a statement. “To date, we have not found any evidence substantiating these claims.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.