The vulnerability exposed
Zoom users running Windows 7 or earlier OS versions to remote attacks
The Zoom videoconferencing
platform was affected by a zero-day vulnerability that could have allowed
attackers to execute commands remotely on affected machines. The flaw
impacted devices running the Windows operating system, specifically Windows 7
and earlier.
The company has since
addressed the issue and released a patch on Friday, with the release notes of version 5.1.3 (28656.0709) stating that
the patch “fixes a security issue affecting users running Windows 7 and older.”
Technical details about are
sparse about the vulnerability, which hasn’t been assigned a Common
Vulnerabilities and Exposures (CVE) identifier and was first described by ACROS
Security on its 0patch blog:
“The vulnerability allows a
remote attacker to execute arbitrary code on victim’s computer where Zoom
Client for Windows (any currently supported version) is installed by getting
the user to perform some typical action such as opening a document file. No
security warning is shown to the user in the course of an attack,” said
ACROS.
However, the company also
noted that the hole was “only exploitable on Windows 7 and older Windows
systems”, as well as “likely also exploitable on Windows Server 2008 R2 and
earlier”. By contrast, Windows 10 and Windows 8 are not affected.
ACROS was tipped off to the
flaw by a researcher who wanted to remain anonymous. The company then ran an
analysis of the researcher’s claims and tried out a number of attack scenarios
before forwarding its findings to Zoom along with a proof of concept and
recommendations on how to fix the issue. There is no word of attackers
exploiting the bug in the wild.
ACROS also released a quick
micropatch last Thursday that removed the vulnerability in the code before Zoom
addressed the issue with a patch of their own. The micropatch was made
available to everyone for free, with the company releasing a demonstration of
how a user could easily trigger the vulnerability.