Zoom has patched a number of security issues

By Scott Marlette Last updated May 25, 2022

Zoom has patched several security vulnerabilities, including a high-severity one that could allow attackers to remotely execute code on the target endpoint (opens in new tab).

The bug, first discovered by Google Project Zero security researcher Ivan Fratric, can be exploited without any interaction on the victim’s side.

“The only ability an attacker needs is to be able to send messages to the victim over Zoom (opens in new tab) chat over XMPP protocol,” Fratric said in his explanation of the flaw.

Zoom security flaws

Tracked as CVE-2022-22786, the flaw revolves around the fact that Zoom’s server, and that of the client, use different XML parsing libraries, and as a result, XMPP messages get parsed differently by the two. It’s only found on Windows devices.

By sending a specific message, an attacker can force the target client to connect to a middle server, and get an old, 2019 version of Zoom, installed. That helps the attacker launch a more devastating attack.

“The installer for this version is still properly signed, however, it does not do any security checks on the .cab file,” the researcher explained. “To demonstrate the impact of the attack, I replaced Zoom.exe in the .cab with a binary that just opens Windows Calculator app and observed Calculator being opened after the ‘update’ was installed.”

The flaw was addressed in the video conferencing (opens in new tab) platform’s latest update. All users are urged to patch to version 5.10.0 as soon as possible. This patch also fixes a number of other vulnerabilities, including one that enables sending user session cookies to a non-Zoom domain.

Other vulnerabilities fixed in this patch are tracked as CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 and have been observed on Android, iOS, Linux, macOS, and Windows operating systems.

According to ZDNet, Fratric first discovered the flaws in February this year, while Zoom fixed a little under two months later, on April 24.

Via: ZDNet (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.