The Zoom web conference Client contained a zero-day vulnerability that could have allowed attackers to execute commands on vulnerable systems remotely.
The exploitation of the vulnerability required at least some form of action on the victim’s end, such as downloading and opening a malicious attachment, however, no security notifications would be triggered during exploitation.
A researcher, who prefers to remain anonymous, reached out to the 0patch team disclosing the vulnerability rather than reporting it directly to Zoom.
Researchers at 0patch then issued a “micropatch” free of charge until Zoom could release their own.
“According to our guidelines, we’re providing these micropatches to everyone for free until Zoom has fixed the issue or made a decision not to fix it. To minimize the risk of exploitation on systems without 0patch, we’re not publishing details on this vulnerability until Zoom has fixed the issue, or made a decision not to fix it, or until such details have become public knowledge in any way,” explained 0patch in a blog post.
While the company refrained from disclosing complete details of the remote code execution flaw, they did post a Proof-of-Concept video vaguely demonstrating the exploitation:
“Some social engineering is almost always required with client-side RCEs; some require the user to open a malicious document, some to visit a malicious web page, some to connect to a malicious RDP server etc. These are no unusual actions for the user, but they may not perform them without some lure,” 0patch co-found Mitja Kolsek told BleepingComputer.
Zoom has released a patch in the latest version 5.1.3 (28656.0709) for Windows users as of July 10th, and users are advised to download the newest version of the client app.
The release notes confirm the update “fixes a security issue affecting users running Windows 7 and older.”
The vulnerability is only known to be exploitable on Windows 7 and earlier versions, but may also be exploitable on Windows Server 2008 R2 and earlier though.
0patch advised its users that their micropatch will safeguard users against this vulnerability regardless of the OS being used.
Zoom has also released notes on a planned update scheduled to go out for Phone and Web users on July 12, 2020.
The update promises to step up encryption from AES-128 to AES-256 by default. It also introduces a “call monitoring” feature for Mobile users, effectively empowering them to “listen to a call without the parties being aware; speak to a phone user in a call without other parties being aware; join a call and speak to all parties; or take over the call from another user.”
Among other features and enhancements is what’s called the “Singapore data center option.” The option enables account owners and admins to route real-time meetings and webinar traffic via data centers located in Singapore.
Additionally, the July 12th Web update comes out with a customized speed dial supporting the busy lamp field (BLF) feature, call parking, the ability to create a shared directory of external contacts, and “minor bug fixes.”
Meanwhile, the update will enable Phone users to access phone user directories and transfer active calls to the voicemail inbox of another user.
Zoom users are advised to turn on auto-updates to protect themselves against security flaws and take advantage of the latest product offerings.