A pair of security researchers at the virtual Pwn2Own hacking contest Wednesday exploited a combination of three individual zero-day bugs in the Zoom client to show how attackers could gain complete remote control of any PC or notebook computer on which the video communications software is installed.
The exploit came barely a day after another researcher at Pwn2Own demonstrated code execution on Microsoft Teams, which, like Zoom, has seen a surge in use since the global COVID-19 pandemic forced an increase in remote work at many organizations. The two exploits — and several others against Microsoft Exchange Server, Windows 10, and other technologies — have served as a further reminder of just how vulnerable some core enterprise software and communication products are to modern attacks.
"One of the biggest trends we see is that the participants continue to evolve and adapt to the targets," says Brian Gorenc, senior director of vulnerability research and head of ZDI at Trend Micro, which organizes the event each year. "Even as vendors make exploitation more difficult, contestants find a path to win."
The Zoom exploit garnered security researchers Daan Keuper and Thijs Alkemade of Dutch firm Computest Security an award of $200,000 and 20 so-called Master of Pwn points. Their exploit involved chaining together three bugs in the Zoom messenger client to gain code execution on a target system, without the user have to click or do anything. A Computest statement describes the exploit as giving the two researchers control to execute actions on the device running the Zoom client, such as turning on the camera and microphone, reading email ..