A critical zoom vulnerability that was fixed last week did not require user interaction.


Google’s Project Zero Vulnerability Investigation Team has investigated the critical vulnerabilities in detail Zoom Apply patch last week This allows hackers to perform zero-click attacks that remotely execute malicious code on devices running messaging software.

Tracked as CVE-2022-22786 and CVE-2022-22784, this vulnerability allows the victim to perform an attack even if they take no action other than open the client.As Tuesday details According to Google Project Zero researcher Ivan Fratric, the inconsistent way Zoom clients and Zoom servers parse XMPP messages allowed them to “smuggle” content that would normally be blocked. By combining these flaws with glitches in a way that Zoom’s code signing validation works, Fratric has achieved complete code execution.

“No user action is required for a successful attack,” the researchers write. “The only ability an attacker needs is to be able to send a message to the victim via Zoom chat via the XMPP protocol.” Fratric continued:

An early vulnerability (labeled XMPP stanza smuggling) allowed the victim’s client to “smagling” any XMPP stanza by exploiting a parsing inconsistency between the Zoom client and the XML parser on the server. To. From there, by sending a specially crafted control stanza, the attacker can force the victim’s client to connect to a malicious server, turning this primitive into a man-in-the-middle attack. Finally, by intercepting / modifying the client’s update request / response, the victim’s client downloads and executes the malicious update and executes arbitrary code. Client downgrade attacks are used to bypass the update installer’s signature check. This attack has been demonstrated against the latest (5.9.3) clients running on Windows 64-bit, but some or all of the chain could be applied to other platforms.

In December, Zoom finally entered the 21st century, providing macOS and Windows clients with the ability to automatically update. The severity of the vulnerability fixed last week underscores the importance of automatic updates. Often, within hours or days of updates like these being available, hackers have already reverse engineered them and used them as an exploit roadmap. Still, one of the computers I use regularly for Zoom didn’t have the patch installed until Wednesday when I thought about selecting the Check for Updates option.

To automatically update the Zoom client, I first had to run an intermediate version. After updating manually, the automatic update was finally performed. Readers are encouraged to check the system to make sure it is also running the latest version. A critical zoom vulnerability that was fixed last week did not require user interaction.

Back to top button