The bug, first discovered by Google Project Zero security researcher Ivan Fratric, can be exploited without any interaction on the victim’s side.
“The only ability an attacker needs is to be able to send messages to the victim over Zoom (opens in new tab) chat over XMPP protocol,” Fratric said in his explanation of the flaw.
Zoom security flaws
Tracked as CVE-2022-22786, the flaw revolves around the fact that Zoom’s server, and that of the client, use different XML parsing libraries, and as a result, XMPP messages get parsed differently by the two. It’s only found on Windows devices.
By sending a specific message, an attacker can force the target client to connect to a middle server, and get an old, 2019 version of Zoom, installed. That helps the attacker launch a more devastating attack.
“The installer for this version is still properly signed, however, it does not do any security checks on the .cab file,” the researcher explained. “To demonstrate the impact of the attack, I replaced Zoom.exe in the .cab with a binary that just opens Windows Calculator app and observed Calculator being opened after the ‘update’ was installed.”
The flaw was addressed in the video conferencing (opens in new tab) platform’s latest update. All users are urged to patch to version 5.10.0 as soon as possible. This patch also fixes a number of other vulnerabilities, including one that enables sending user session cookies to a non-Zoom domain.
Other vulnerabilities fixed in this patch are tracked as CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 and have been observed on Android, iOS, Linux, macOS, and Windows operating systems.
According to ZDNet, Fratric first discovered the flaws in February this year, while Zoom fixed a little under two months later, on April 24.