Zoom is yet to patch the Zero-day vulnerability that allows remote code execution impacting Zoom’s Windows client.
Zoom is yet to patch the Zero-day vulnerability that allows remote code execution impacting Zoom’s Windows client.
The vulnerability allows a remote attacker to execute arbitrary code on the target’s computer where Zoom Client for Windows is installed by getting the user to perform some specific action such as opening a received document file. The attack does not trigger any security warning to the user.
The zero-day impacts only when Zoom’s Windows clients are operating old Windows OS versions, such as Windows 7 and Windows Server 2008 R2and earlier.
According to ACROS, Security Zoom clients working on Windows 8 or Windows10 are not affected.
Kolsek said the vulnerability was discovered by a security researcher who wanted to keep their identity secret.
The vulnerability was reported to Zoom along with a working proof of concept and recommendations for fixing. ACROS Security has released a micropatch to prevent attacks for its customers until Zoom releases an official fix.
ACROS did post a video PoC of the zero-day that shows how an exploit can be activated by clicking the “start video” button in the Zoom Client and then blocked by the 0patch client is available below.
Users can opt the following options to stay safe until Zoom releases a fix,
- Temporarily stop using Zoom
- Update Windows to newer versions
- Implement the micropatch which can be done by creating a free account in 0patch Central, then installing 0patch agent and registering it to your account.
“0patch is designed such that when a vulnerable executable module is replaced by a new version, any micropatches that were made for that vulnerable module automatically stop applying (because the cryptographic hash of the module changes). When Zoom issues an updated Client for Windows, and you install it on your computer, our micropatch will become obsolete,” explained Kolsek.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: “BlueLeaks” Exposes Data of 200 US police Departments and Exposed Online