Zoom, a popular video conferencing app, has been found with a zero-day flaw that is affecting its Mac clients and has yet to be patched according to researcher Jonathan Leitschuh . The flaw allows an attacker to activate a client’s webcam without their permission by tricking them into clicking a fake zoom invite URL. The fake invite URL can be embedded in malicious advertisements or sent via phishing emails. With this service being used by around 750,000 companies worldwide, the potential damage is massive. The vulnerability remains on the affected computer even after Zoom has been removed from the system. Once Zoom is downloaded, it also installs a web server on the client’s Mac. This web server does not get deleted when the client deletes the Zoom app and once a Zoom link is clicked, even after the app is deleted, the webserver redownloads the Zoom app without notifying the client. The second vulnerability found is a Denial-of-Service (DOS) attack vulnerability. The DOS vulnerability is carried out via the attacker creating repeated invalid calls that would deny user access to the victim’s system. Zoom was contacted by researchers about the flaws but has only provided a very minor fix that doesn’t address the major issues. However, Zoom did fix the DOS vulnerability in version 4.4.2 of the Zoom application. Zoom released a statement that they are diligently working on the issues and will be releasing a security patch this month.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in