Zoom is one of the most widely used tools during the pandemic, although this has allowed the discovery of multiple security errors. Specialists from a cyber security consulting company report the detection of a zero-day vulnerability that could allow remote code execution in the application for Windows systems.
According to 0patch researchers, this flaw affects any version of the Zoom client for Windows and had not been identified before, either by the cybersecurity community or by malicious hackers. It should be noted that the flaw is only exploitable on Windows 7 and earlier systems; because these systems approach the end of their useful life, the scope of the operation is significantly reduced.
In addition, a threat actor requires interaction with the potential victim, the experts of the cyber security consulting company mentioned. Attacked users will need to take some routine actions, such as opening a file that works as an exploit, although it is unlikely that victims might notice any indication of suspicious activity.
In this regard, a spokesperson from Zoom stated: “We take all reports of possible vulnerabilities seriously. A few hours ago we received a report about an issue affecting users of Windows 7 and earlier systems; we can confirm that the flaw is real and we are working on a patch to resolve the flaw quickly.”
On the decision not to disclose the vulnerability, Zoom’s representative mentioned that the flaw was not disclosed to the public due to the risk of exploitation: “It hasn’t even been a full day since the flaw was reported to us, but the security patch will be released shortly,” the spokesman added.
In its proof of concept, Zoom reveals how an exploit can be activated by clicking the “Start Video” button in the app. When the patch is installed, users should not take additional actions to mitigate the risk of exploitation, they mention specialists from the cyber security consulting company.
The developers of the app have recently released multiple fixes. Last April, two zero-day flaws were discovered in Zoom for macOS systems that could have been exploited to gain high root privileges on the target system, in addition to the ability to access the microphone and camera of the affected device.
For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.