The vulnerability exposed Zoom users running Windows 7 or earlier OS versions to remote attacks
The Zoom videoconferencing platform was affected by a zero-day vulnerability that could have allowed attackers to execute commands remotely on affected machines. The flaw impacted devices running the Windows operating system, specifically Windows 7 and earlier.
The company has since addressed the issue and released a patch on Friday, with the release notes of version 5.1.3 (28656.0709) stating that the patch “fixes a security issue affecting users running Windows 7 and older.”
Technical details about are sparse about the vulnerability, which hasn’t been assigned a Common Vulnerabilities and Exposures (CVE) identifier and was first described by ACROS Security on its 0patch blog:
“The vulnerability allows a remote attacker to execute arbitrary code on victim’s computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file. No security warning is shown to the user in the course of an attack,” said ACROS.
However, the company also noted that the hole was “only exploitable on Windows 7 and older Windows systems”, as well as “likely also exploitable on Windows Server 2008 R2 and earlier”. By contrast, Windows 10 and Windows 8 are not affected.
RELATED READING: Windows 7 end of life: Time to move on
ACROS was tipped off to the flaw by a researcher who wanted to remain anonymous. The company then ran an analysis of the researcher’s claims and tried out a number of attack scenarios before forwarding its findings to Zoom along with a proof of concept and recommendations on how to fix the issue. There is no word of attackers exploiting the bug in the wild.
ACROS also released a quick micropatch last Thursday that removed the vulnerability in the code before Zoom addressed the issue with a patch of their own. The micropatch was made available to everyone for free, with the company releasing a demonstration of how a user could easily trigger the vulnerability.
The COVID-19 pandemic has led many companies to switch to remote work and people to practice social distancing, with videoconferencing apps swiftly becoming de rigueur for work and social life alike.
In Zoom’s case, the unexpected limelight also helped reveal a slew of security and privacy lapses affecting the platform, ultimately prompting its CEO Eric S. Yuan to announce a 90-day feature freeze to remedy the issues. The self-imposed pause on feature updates elapsed earlier this month.
At any rate, Zoom users would be well advised to apply the latest patch to mitigate the risk of a malicious actor attacking their devices. Should you want to strengthen your videoconferencing security, ESET Chief Security Evangelist Tony Anscombe had some thoughtful advice to share in a pair of recent articles – one general article about videoconferencing with security in mind and the other devoted specifically to getting your Zoom settings right.