Mumbai: While the auto update feature of any software is ideally supposed to secure it against threats, the last update by Zoom, a popular video-calling app, has ended up opening up millions of Mac users to external cyber-attacks due to two vulnerabilities in its operating system.

The two vulnerabilities were officially acknowledged by Zoom last week in an official update on their website. Further, the Indian Computer Emergency Response Team (CERT-In), the country’s nodal agency for cybersecurity, also issued an advisory on Wednesday, warning Mac users of the two vulnerabilities.

According to CERT-In, vulnerabilities exist in the very process that governs Zoom’s auto update feature.

Due to these two bugs, hackers can force users to unknowingly download malware instead of the legitimate updates from Zoom, which can grant them complete access to the user’s devices.

“Successful exploitation of the vulnerabilities could allow a local low-privilege user to escalate their privileges to root,” CERT-In has stated in its advisory.

In simple words, this means that the threat actor, with very little initial access, can directly access the core system of the user’s device using these vulnerabilities.

Both Zoom and CERT-In have classified both the vulnerabilities as ‘High’ in severity, which is the second highest severity rating after ‘critical’. Users are advised to manually install the latest update to their Zoom apps to patch these two flaws, CERT-In has stated.

Zoom is one of the most widely used video calling apps used by Windows and Mac users around the world, and millions of Mac owners use Zoom for daily office work.

During the pandemic, the use of video calling apps increased tenfold due to work from home, and many organisations still follow a hybrid work policy.

As a result, all apps used by corporate employees for remote working became the favourite targets for malicious hackers, commonly known as threat actors in cybersecurity parlance, who actively started looking for vulnerabilities in such apps to exploit. The advantage of targeting such apps is that breaking into one single computer automatically grants access to servers of entire organisations, as employees are remotely connected to company servers.

