A zero-day vulnerability in Zoom for Windows may be exploited by an attacker to execute arbitrary code on a victim’s computer. The attack doesn’t trigger a security warning and can be pulled off by getting the victim to perform a typical action such as opening a received document file.
Acros Security, the creators of 0patch, have pushed out a micropatch that will close the security hole until Zoom Video Communications delivers a fix.
About the vulnerability
The vulnerability was discovered by an unnamed researcher and reported to Acros Security, who reported it to Zoom earlier today.
Is is present in all supported versions of the Zoom client for Windows, and the 0patch team created a micropatch for all (starting with v5.0.3 and all up to the latest one – v5.1.2).
The flaw is only exploitable if the client is installed on Windows 7 and older Windows systems, due to a specific system property.
“The flaw is likely also exploitable on Windows Server 2008 R2 and earlier though we didn’t test that; either way, our micropatch will protect you wherever you’re using the Zoom client,” Acros Security CEO Mitja Kolsek told Help Net Security.
“While Microsoft’s official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life with Microsoft’s Extended Security Updates or with 0patch,” he noted.
He also says that the flaw can be exploited through several attack scenarios, but they will refrain from publishing more detailed information and the PoC exploit until Zoom fixes the issue or decides not to fix it.