New Zoom bugs can give attackers root access to your Mac, take over the webcam and mic

Zoom is having a moment, thanks to the fact that many, many people around the world are being forced to work from home (when they can) due to the global coronavirus pandemic.

All of that remote work means a lot of video conference calls, which has seen a gigantic spike in users for the service. But with so many people now using Zoom there is an even greater focus on some of the issues present with the software, like the fact that, despite claims, the video calls are not end-to-end encrypted. And now a security researcher has discovered a brand new zero-day vulnerability for the software running on Macs, all tied to a pair of bugs that can allow attackers to take over the machine — including the webcam and microphone.

The discovery was made by Jamf researcher and ex-NSA hacker Patrick Wardle, as first reported by TechCrunch.

Roundup: The best work from home communication apps for remote teams

Wardle details several of Zoom’s security flaws that have been discovered recently (dating back to last year’s debacle), and then goes into detail about the latest bugs. These can not only allow an attacker to gain control of the Mac’s microphone and/or webcam, but also make it possible for that individual to gain root access to macOS as well.

As such, today when Felix Seele also noted that the Zoom installer may invoke the AuthorizationExecuteWithPrivileges API to perform various privileged installation tasks, I decided to take a closer look. Almost immediately I uncovered several issues, including a vulnerability that leads to a trivial and reliable local privilege escalation (to root!).

This is possible, and I’ll try to put this as simply as possible, because one of the bugs allows the attacker to alter or replace the “runwithroot” script during an installation –or potentially an upgrade– that allows them to gain root access. Wardle obviously describes this in technical terms over on the Objective-See blog, and if you’re interested in seeing how he breaks it down go check it out.

Meanwhile, that second bug means an attacker gains access to the microphone, the webcam, and can even record the Mac’s screen as it’s being used:

Unfortunately, Zoom has (for reasons unbeknown to me), a specific “exclusion” that allows malicious code to be injected into its process space, where said code can piggy-back off Zoom’s (mic and camera) access! This give malicious code a way to either record Zoom meetings, or worse, access the mic and camera at arbitrary times (without the user access prompt)!

At the time of publication Zoom had not responded to the original report. However, we all have to hope that Zoom can patch these bugs as soon as possible, considering how important the video conferencing software has become to so many people all over the globe.

And if all of this sounds pretty familiar, it’s because this is very similar to what happened last year. Back then we reported that Zoom had a major vulnerability that would allow an attacker to gain access to a Mac’s webcam. Zoom had to issue an update to fix the problem, but so did Apple because the installation of the Zoom app on a Mac installed the web server as well. So even if the Zoom app was uninstalled after the fact, the vulnerability was still present.