Ormandy said that holding off with publication until Zoom had patched the installer would only help future users, and not the massive amount of people who are downloading the video conferencing app onto their systems now.
Zoom is aware of this issue and is working on an update to fix the issue.
Vulnerabilities discovered in popular video teleconferencing app Zoom could allow attackers to escalate privileges on a computer or allow access to users' webcams and microphones, according to new research from Jamf Principal Security Researcher Patrick Wardle.
The second bug exploits a weakness in the way Zoom handles the microphone and webcam on Macs.
A report suggests that Zoom is being sued in California over reports it gave data to Facebook without telling customers and that New York's top prosecutor is probing its security practices. The telecom and online class platform vulnerabilities have the potential to give local attackers root privileges, which subsequently allow the attackers to access the victims' microphone and camera. But Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has. "This affords malware the ability to record all Zoom meetings, or, simply spawn Zoom in the background to access the mic and webcam at arbitrary times".
Although App is offering reliability in terms of usage, the fact that they lack E2E despite proudly marketing it everywhere raises a lot of concern for millions of users around the globe depending on the platform for their work. While recent versions of macOS require explicit user approval for these permissions, Zoom has an "exception" that allows code to be injected by third party libraries.
Now security researchers have discovered that attackers can use the Zoom Windows client group chat to share links that leak Windows network credentials. The FBI on Tuesday warned of multiple reports of conferences being disrupted by pornographic or hate images and threatening language, in so-called "Zoom-bombing" attacks. A UNC path is a PC format for specifying the location of resources on a local-area network (LAN), which can be used to access network resources.
The flaw exists in the Zoom client's chat function.
Zoom had publicly told the media that the information had been anonymized, but understood why the users were upset.