Zoom patches zero‑day flaw in Windows client

Zoom patches zero‑day flaw in Windows client

The vulnerability exposed Zoom users running Windows 7 or earlier OS versions to remote attacks



The Zoom videoconferencing platform was affected by a zero-day vulnerability that could have allowed attackers to remotely execute commands on affected machines. The flaw impacted devices running the Windows operating system, specifically Windows 7 and earlier.


The company has since addressed the issue and released a patch on Friday, with the release notes of version 5.1.3  (28656.0709) stating that the patch “fixes a security issue affecting users running Windows 7 and older.”


Technical details about are sparse about the vulnerability, which hasn’t been assigned a Common Vulnerabilities and Exposures (CVE) identifier and was first described by ACROS Security on its 0patch blog:


“The vulnerability allows a remote attacker to execute arbitrary code on victim’s computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file. No security warning is shown to the user in the course of an attack,” said ACROS.


However, the company also noted that the hole was “only exploitable on Windows 7 and older Windows systems”, as well as “likely also exploitable on Windows Server 2008 R2 and earlier”. By contrast, Windows 10 and Windows 8 are not affected.


RELATED READING: Windows 7 end of life: Time to move on


ACROS was tipped off to the flaw by a researcher who wanted to remain anonymous. The company then ran an analysis of the researcher’s claims and tried out a number of attack scenario ..

Support the originator by clicking the read the rest link below.