Zoom patches XMPP vulnerability chain that could lead to remote code execution | ZDNet

shutterstock-1613076505.jpg

Image: Shutterstock / fizkes

Zoom users are advised to update their clients to version 5.10.0 to patch a number of holes found by Google Project Zero security researcher Ivan Fratric.

“User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Fratric said in a bug tracker description of the chain.

Looking at the way XMPP messages are parsed differently by Zoom’s server and clients, since they use different XML parsing libraries, Fratric was able to uncover an attack chain that ultimately could lead to remote code execution.

If a specially crafted message was sent, Fratric was able to trigger clients into connecting to a man-in-the-middle server that served up an old version of the Zoom client from mid-2019.

“The installer for this version is still properly signed, however it does not do any security checks on the .cab file,” Fratric said.

“To demonstrate the impact of the attack, I replaced Zoom.exe in the .cab with a binary that just opens Windows Calculator app and observed Calculator being opened after the ‘update’ was installed.”

In its security bulletin published last week, Zoom said the security researcher also found a way to send user session cookies to a non-Zoom domain, which could allow for spoofing.

The CVE-2022-22786 vulnerability that allowed for downgrading the client only impacted Windows users, while the other three issues — CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 — impacted Android, iOS, Linux, macOS, and Windows.

Fratric discovered the vulnerabilities in February, with Zoom patching its server-side issues the same month, and releasing updated clients on April 24.

Related Coverage

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.