Acros Security Specialists reported a dangerous bug in the Windows client of the Zoom video conferencing application. Researchers report that the vulnerability is a threat to Windows 7, Windows Server 2008 R2, as well as earlier versions of the OS. It is emphasized that the bug was not found by Acros Security experts themselves, but by a certain information security specialist who wished to remain anonymous.
Exploiting the vulnerability, which ultimately leads to the execution of arbitrary code on the victim’s computer, is quite simple: it is enough to force the target user Zoom to open a malicious document. Moreover, the user will not see any warnings about potential danger.
Although Zoom engineers have already reported the problem to the engineers, there is no patch for it yet, although work is already underway on it. Therefore, Acros Security experts who are developing the 0patch solution have so far prepared a temporary fix. Let me remind you that 0patch is a platform designed just for such situations, that is, fixes for 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.
A demonstration of the vulnerability in action, as well as blocking the bug with 0patch, can be seen below.
Zoom representatives have not yet announced the exact release dates for the patch.
Interestingly, the zero-day vulnerability became known just when Zoom finally returned to active work on the application. Let me remind you that in April of this year, after serious criticism from the information security community, Zoom suspended development for 90 days and during this period was engaged exclusively in improving the security of its product.
Over the past months, the company took into account many expert recommendations, fixed a number of security problems, created a bug bounty program, established a CISO council, and also invited many third-party experts to further develop Zoom (for example, Alex Stamos, the former head of Facebook security).
Late June Zoom Guide reportedthat the new chapter on the information security of the company will be Jason Lee, who previously served as Salesforce Senior Vice President of Security.