The new Zoom vulnerability allows hacking victims by simply sending a message


Google experts recommend that Zoom users update the application clients to version 5.10.0 in order to apply fixes for a number of vulnerabilities discovered by Google Project Zero security researcher Ivan Fratrik.

“For a successful attack, you don’t even need to interact with the user directly. It is enough for an attacker to simply be able to send messages to the victim via the XMPP protocol in the Zoom chat,” Fratrik said in the description of the vulnerability chain.

Having studied the differences in the XMPP message parsing by the Zoom server and clients, Fratrik was able to uncover a chain of vulnerabilities that allowed attackers to remotely execute malicious code. Having decided to recreate the attack, the researcher sent a specially created message, used an intermediary attack, after which he was able to connect the “victim” to his server providing an old version of the Zoom client in mid-2019.

“The installer for this version is still signed properly, but does not perform any security checks of the installation cab file,” Fratrik added. “To demonstrate the principle of the attack, I replaced Zoom.exe in the cab file to the binary file that opened the standard Windows calculator, and immediately after installing the “update” I saw the calculator running.”

In a security bulletin published last week, Zoom reported that the researcher also found a vulnerability that allows sending user session cookies to a domain not owned by the company. This vulnerability allowed attackers to carry out spoofing attacks.

Below is a list of vulnerabilities fixed by Zoom after the Fratrica report:

  • CVE-2022-22786 – allows you to downgrade the Zoom client version and affects only Windows users;

  • CVE-2022-22784 ;

  • CVE-2022-22785 ;

  • CVE-2022-22787 ;

Three other vulnerabilities affect Android, iOS, Linux, macOS and Windows.

Google’s Project Zero researcher discovered the vulnerabilities in February, Zoom fixed them on the server side the same month, and released updated clients on April 24.

Start a discussion …