Zoom Zero-Day Allows RCE, Patch on the Way

Researchers said that the issue is only exploitable on Windows 7 and earlier.

UPDATE

A newly discovered bug in the Zoom Client for Windows could allow remote code-execution, according to researchers at 0patch, which disclosed the existence of the flaw on Thursday after pioneering a proof-of-concept exploit for it. The issue was confirmed for Threatpost by a Zoom spokesperson.

Update July 10: A patch has been issued. The company told Threatpost: Zoom addressed this issue, which impacts users running Windows 7 and older, in the 5.1.3 client release on July 10. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.”

The 0patch team said that the vulnerability is present in any currently supported version of Zoom Client for Windows, and is unpatched and previously unknown — catnip for cybercriminals. However, it’s important to note that the flaw has a couple of big mitigating factors that reduce the concern around it. For one, it’s only exploitable on Windows 7 and older Windows systems, which are end-of-life and no longer supported by Microsoft (though millions of installed users remain in the wild).

Secondly, an attack requires user interaction. A target must first perform some typical action such as opening a document file for an exploit to work. That said, no security warning is shown to the user during the course of attack, according to the firm.

“Exploitation requires some social engineering – which is practically always the case with user-side remote code execution vulnerabilities,” Mitja Kolsek, 0patch co-founder, told Threatpost, adding that there’s no indication of in-the-wild exploits so far. “While a massive attacks is extremely unlikely, a targeted one is conceivable.”

0patch became aware of the flaw thanks to a “private researcher” who wants to remain anonymous—that person said no disclosure was made to Zoom, but 0patch itself did submit a report.

“We…documented the issue along with several attack scenarios, and reported it to Zoom earlier today along with a working proof of concept and recommendations for fixing,” Kolsec wrote in a Thursday posting. “Should a bug bounty be awarded by Zoom, it shall be waived in favor of a charity of researcher’s choice.”

Zoom, for it’s part, confirmed the zero-day to Threatpost and issued the following statement: “Zoom takes all reports of potential security vulnerabilities seriously. This morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it.”

When asked why it did not observe the industry-standard 90-day disclosure period before publicizing the flaw, Kolsec told Threatpost that 0patch isn’t publishing details on the vulnerability due to the lack of a patch – and Kolsec he said there are no plans to do so until there’s an official response from the collaboration giant.

“We did not disclose vulnerability details that would allow attackers to exploit it – we only disclosed its presence and our micropatch,” Kolsec said. “Per our long-standing policy, we wouldn’t even publish details after 90 days if these details allowed attackers to attack users.” He added, “It’s only been a few hours since [Zoom] got the report. I’m sure they’ll be very quick to fix this though, judging from how quickly they fixed that UNC vulnerability in April (in a single day).”

However, the company did post a PoC video that shows how an exploit can be triggered by clicking the “start video” button in the Zoom Client:

Once the patch rolls out, consumers won’t likely need to take action to stay protected; enterprise customers however might.

“Zoom Client features a fairly persistent auto-update functionality that is likely to keep home users updated unless they really don’t want to be,” Kolsec wrote, adding that 0patch has issued an interim “micropatch.” “However, enterprise admins often like to keep control of updates and may stay a couple of versions behind, especially if no security bugs were fixed in the latest versions.”

This isn’t the conferencing vendor’s first brush with unpatched bugs: As mentioned earlier, in April, two zero-day flaws were uncovered in Zoom’s macOS client version, which could have given local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera. Zoom quickly patched the issues upon being alerted to them.

This story was updated July 10 at 12:30 p.m. ET to include patch information.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles