Researchers from cyber-security firm ACROS Security have disclosed a zero-day vulnerability in the Windows client of the video conferencing software Zoom.
The vulnerability is a remote code execution issue, which could allow the targeted user to perform some typical action such as opening a document file without any warning being shown to him.
The zero vulnerability was reported to ACROS by a security researcher who wanted to remain anonymous.
The vulnerability affects Windows client running on old versions of Windows OS, including Windows 7 and Windows Server 2008 R2 and earlier. Clients running on Windows 8 or Windows 10 are not affected.
“Earlier this week a security researcher shared a remote code execution “0day” vulnerability in Zoom Client for Windows with our team.” reads a post published by the experts.
“The vulnerability allows a remote attacker to execute arbitrary code on victim’s computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file. No security warning is shown to the user in the course of attack.”
ACROS reported the zero-day to Zoom and released a micropatch for its 0patch client to prevent the exploitation of the flaw for its own customers until Zoom releases an official fix.
ACROS published a video PoC of the zero-day that shows how 0patch client blocks it.
“Zoom takes all reports of potential security vulnerabilities seriously. This morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it.” reads the statement published by Zoom.
A Zoom spokesperson confirmed that the company is already worning on a patch.
After the disclosure of several security issues in the Zoom platform, on April 1, the company paused the development of new features and started working only to enhance the security and privacy of its platform.
Since July 1, the company resumed the development of new features.
(SecurityAffairs – hacking, RCE)