A zero-day vulnerability in Zoom for Windows may be exploited by an attacker to execute arbitrary code on a victim’s computer. The attack doesn’t trigger a security warning and can be pulled off by getting the victim to perform a typical action such as opening a received document file.
Acros Security, the creators of 0patch, have pushed out a micropatch that will close the security hole until Zoom Video Communications delivers a fix.
About the vulnerability
The vulnerability was discovered by an unnamed researcher and reported to Acros Security, who reported it to Zoom earlier today.
Is is present in all supported versions of the Zoom client for Windows, and the 0patch team created a micropatch for all (starting with v5.0.3 and all up to the latest one – v5.1.2).
The flaw is only exploitable if the client is installed on Windows 7 and older Windows systems, due to a specific system property.
“The flaw is likely also exploitable on Windows Server 2008 R2 and earlier though we didn’t test that; either way, our micropatch will protect you wherever you’re using the Zoom client,” Acros Security CEO Mitja Kolsek told Help Net Security.
“While Microsoft’s official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life with Microsoft’s Extended Security Updates or with 0patch,” he noted.
He also says that the flaw can be exploited through several attack scenarios, but they will refrain from publishing more detailed information and the PoC exploit until Zoom fixes the issue or decides not to fix it.
Options available to users
Until Zoom pushes out a fix, the options for users who wish to stay safe are as follows:
- Temporarily stop using Zoom
- Update Windows to a newer version
- Implement the micropatch.
“We were able to quickly create a micropatch that removes the vulnerability in four different places in the [software’s] code,” Kolsek noted. The micropatches are available for free to all 0patch users until a fix is released.
“0patch is designed such that when a vulnerable executable module is replaced by a new version, any micropatches that were made for that vulnerable module automatically stop applying (because the cryptographic hash of the module changes). When Zoom issues an updated Client for Windows and you install it on your computer, our micropatch will become obsolete,” he explained.
“In case this updated Zoom Client does not fix this vulnerability, we’ll port the micropatch and make it available for free as quickly as possible.”
Zoom is working on a patch to quickly resolve the issue, but haven’t said when it will be ready.
UPDATE (July 10, 2020, 1:50 p.m. PT):
“Zoom addressed this issue, which impacts users running Windows 7 and older, in the 5.1.3 client release on July 10,” the company announced.
“Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.”