A serious vulnerability in Zoom for macOS has remained unaddressed for more than six months, according to independent security researchers.
At the close of 2021, a security researcher uncovered a critical flaw in the Zoom installer for macOS. A fix was eventually issued by Zoom in August 2022, but it did not fully resolve the issue. The discovery, first highlighted in reports at The Verge, was discussed in depth during a Def Con information security conference held in Las Vegas from August 11 to 14. The researcher described how the flaw could grant an attacker complete control over macOS, provided they gained initial access to the target machine. In most cases, that initial access is feasible through phishing or other social engineering techniques that trick users into running compromised software or enabling privileged access.
After identifying the vulnerability, the researcher promptly notified the Zoom development team and supplied a detailed description of the bug along with steps that could be taken to fix it. The patch released by Zoom on the eve of Def Con offered only a partial remedy. It mitigated the specific exploit path described by the researcher but did not seal the vulnerability entirely, leaving open the possibility for alternative attack vectors or future exploitation under different conditions.
In describing the experience, the researcher conveyed a sense of awkwardness given the dual role of discoverer and adviser: not only was the bug reported to Zoom, but instructions for remediation were also provided. The researcher emphasized that the guidance could have helped prevent the risk earlier, and the situation underscored the gap that can exist between disclosure and comprehensive remediation in software products used widely across workplaces and personal environments.
As coverage of the issue continued, Zoom expressed commitment to resolving the problem and indicated ongoing efforts to address it comprehensively. Journalistic accounts cited Zoom’s work to tighten security and reduce exposure for macOS users, with the understanding that software vulnerabilities can remain stubborn even after initial patches.
Additional reporting noted broader regulatory and market contexts, including separate matters related to data localization and regulatory penalties in various regions. These items reflect the wider landscape in which software security concerns unfold, highlighting the need for robust privacy protections and accountable responses from software vendors when sensitive user data could be at risk.