Video and audio conferencing software, Zoom patched a zero-day vulnerability that was affecting users running old versions of Windows: Windows 7, Windows Server 2008 R2 and earlier. The flaw was detected on Thursday and later published in a blog post by security research organization ACROS Security. The vulnerability that was previously unknown, allowed a remote attacker to execute arbitrary code on targeted user’s system on which one of the supported versions of Zoom Client for Windows is installed; in order to set the attack into motion, the attacker manipulates the victim into carrying out some typical action (Opening a received doc. file) and reportedly, there is no security warning displayed to the user as the attack takes place. After disclosing the zero-day vulnerability to Zoom, ACROS released a micropatch for its 0patch client in order to safeguard its own clients against attack till the time Zoom came out with an official patch. In the wake of various security flaws, the company halted the production of new features for a while so that the major privacy-related concerns that are threatening user security can be treated with much-needed attention. However, this ‘feature freeze’ period ended very recently i.e., on July 1, last week itself, and the zero-day was detected a few days later. In conversation with Threatpost, 0patch’s co-founder, Mitja Kolsek said, “Exploitation requires some social engineering – which is practically always the case with user-side remote code execution vulnerabilities,” “While a massive attack is extremely unlikely, a targeted one is conceivable." “Zoom Client features a fairly persistent auto-update functionality that is likely to keep home users updated unless they really don’t want to be,” he wrote. “However, enterprise admins often like to keep control of updates ..
Support the originator by clicking the read the rest link below.
