Zoom users are advised to update their clients to version 5.10.0 to patch some of the vulnerabilities found by Google Project Zero security researcher Ivan Fratric.
“The user doesn’t need to interact for the attack to succeed. The only capability an attacker needs is to be able to send a message to the victim via Zoom chat over the XMPP protocol,” Fratric said in a statement. bug tracker description of the chain.
Looking at how XMPP messages are parsed differently by Zoom’s server and client, because they use different XML parsing libraries, Fratric was able to spot an eventual attack sequence that could can lead to remote code execution.
If a specially crafted message is sent, Fratric can trigger the client to connect to an intermediary server that provides an older version of the Zoom client from mid-2019.
“The installer for this version is still properly signed, however it doesn’t perform any security checks on the .cab file,” Fratric said.
“To demonstrate the impact of the attack, I replaced Zoom.exe in the .cab with a binary that just opened the Windows Calculator application and observed the Calculator opened after the ‘update’ was installed. ”
In it security bulletin Published last week, Zoom says the security researcher has also found a way to send a user’s session cookie to a non-Zoom domain that could allow forgery.
The vulnerability CVE-2022-22786 allows client downgrades to affect only Windows users, while three other issues – CVE-2022-22784, CVE-2022-22785 and CVE-2022-22787 – affect Android, iOS, Linux, macOS and Windows.
Fratric discovered the vulnerabilities in February, with Zoom patching the server-side issues the same month and releasing updated clients on April 24.