In Zoom, one of the issues permitted remote code execution as reported by Tech Radar.
Critical flaw
Zoom has corrected a number of security flaws, including a critical flaw that might allow attackers to remotely execute code on the target endpoint.
The vulnerability, which was first found by Google Project Zero security researcher Ivan Fratric, can be exploited without the victim’s knowledge.
“All an attacker needs is the ability to send messages to the victim using Zoom chat using the XMPP protocol,” Fratric explained the problem.
Zoom security flaws
Tracked as CVE-2022-22786, the flaw revolves around the fact that Zoom’s server, and that of the client, use different XML parsing libraries, and as a result, XMPP messages get parsed differently by the two. It’s only found on Windows devices.
By sending a specific message, an attacker can force the target client to connect to a middle server, and get an old, 2019 version of Zoom, installed. That helps the attacker launch a more devastating attack.
“The installer for this version is still properly signed, however, it does not do any security checks on the .cab file,” the researcher explained. “To demonstrate the impact of the attack, I replaced Zoom.exe in the .cab with a binary that just opens Windows Calculator app and observed Calculator being opened after the ‘update’ was installed.”
The flaw was addressed in the video conferencing platform’s latest update. All users are urged to patch to version 5.10.0 as soon as possible. This patch also fixes a number of other vulnerabilities, including one that enables sending user session cookies to a non-Zoom domain.
Other vulnerabilities fixed in this patch are tracked as CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 and have been observed on Android, iOS, Linux, macOS, and Windows operating systems.
According to ZDNet, Fratric first discovered the flaws in February this year, while Zoom fixed them a little under two months later, on April 24.
Did you subscribe to our newsletter?
It’s free! Click here to subscribe!
Source: Tech Radar
