Something that wasn't clear ("non-privileged attacker") is whether or not running the Zoom installer as a non-admin user would be sufficient for it to use its elevation mischief somehow. From what I see, it can't, because AuthorizationExecuteWithPrivileges requires an admin's credentials to do anything. But if that were the case, can you use the mac Zoom client without an admin's permission, or not?
If you don't need to give it admin credentials (and can just give it anyone's non-special password instead) and it installs to /Applications without an admin's permission, then there's a huge problem. If you do need to give it admin credentials, this still needs to be fixed (urgently, as I'm sure there's tons of one-off developer/designer macs that aren't monitored by IT and have the Zoom client on them), but that would mean the security model on OS X wasn't entirely broken by a badly written video conferencing installer.
If you don't need to give it admin credentials (and can just give it anyone's non-special password instead) and it installs to /Applications without an admin's permission, then there's a huge problem. If you do need to give it admin credentials, this still needs to be fixed (urgently, as I'm sure there's tons of one-off developer/designer macs that aren't monitored by IT and have the Zoom client on them), but that would mean the security model on OS X wasn't entirely broken by a badly written video conferencing installer.