Security experts found 0-day vulnerability in Zoom Windows client

Acros Security experts discovered a 0-day vulnerability in the Windows client of the Zoom application for video conferencing. Researchers report that the vulnerability is a threat to Windows 7, Windows Server 2008 R2, as well as earlier versions of the OS.

It is emphasized that the bug was not found by Acros Security experts themselves, but by a certain information security specialist who wished to remain anonymous.

“Exploiting a vulnerability that ultimately leads to the execution of arbitrary code on the victim’s computer is very simple: just force the target user Zoom to open a malicious document. Moreover, the user will not see any warnings about potential danger during the attack”, — say Acros Security researchers.

Although Zoom engineers have already receive a report about the problem, there is no patch for it yet, although work on it is already underway. Therefore, Acros Security experts developing the 0patch solution have so far prepared a temporary fix.

A demonstration of the vulnerability in action, as well as blocking the bug with 0patch, can be seen in video.

Zoom representatives have not yet announced the exact release dates for the patch.

Interestingly, the zero-day vulnerability became known precisely when Zoom finally returned to active work on the application.

Let me remind you that in April of this year, after serious criticism from the IS community, and the refusal of international companies and government srtructures to use the application, Zoom suspended development for 90 days and during this period was engaged exclusively in improving security of its product.

Over the past months, the company took into account many expert recommendations, fixed a number of security problems, created a bug bounty program, established a CISO council, and also invited many third-party experts to further develop Zoom (for example, Alex Stamos, the former head of Facebook security).

At the end of June, Zoom management announced that Jason Lee, who previously served as Salesforce’s senior vice president of security, will become the company’s new head of information security.