CATEGORIES
home News

Researchers Expose Major Security Flaws In Zoom That Could Leave Any PC Vulnerable

by Shane McGlaunSunday, June 07, 2020, 01:30 PM EDT
hacker

During the coronavirus pandemic, many people who have been working and learning from home have turned to video chat service Zoom. However, the service has had more than its fair share of issues with security and privacy over the last few months. Two new vulnerabilities have surfaced in the video chat platform that could allow malicious users to execute code on targeted computers.

Both the vulnerabilities were discovered by Cisco Talos, which is a cyber threat intelligence team that provides network security solutions against emerging threats. Cisco Talos adhered to its coordinated disclosure policy, working with Zoom to ensure that both issues were addressed. One of the issues, TALOS-2020-1056, was patched in May. The other is TALOS-2020-1055, and while Zoom issued a server-side update, Cisco Talos believes that this particular issue requires a patch on the client-side to eliminate the security risk.

zoom app

TALOS-2020-1055 is described as a "Zoom client application chat Giphy arbitrary file write exploit." The security researchers say that a specially-crafted chat message can cause an arbitrary file write, which could be further exploited to achieve code execution on the target machine. To exploit the vulnerability, the attacker would send a message to a user, or group of users. While only Giphy servers were supposed to be used for the feature, the content from an arbitrary server could be loaded. It could then be leveraged to further leak information or exploit additional vulnerabilities.

Vulnerability TALOS-2020-1056 is described as a "Zoom client application chat code snippet remote code execution vulnerability." Talos says an exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages, including shared code snippets. To exploit the vulnerability, attackers would craft chat messages that could allow arbitrary code execution. That specially-crafted message could then be sent to an individual user or group to exploit the vulnerability. The target user would have to interact with the message for the most severe impact from the flaw.

As previously mentioned, Zoom has had other security issues tied to increased usage during the coronavirus pandemic. Zoom has been hit with a class-action shareholder lawsuit over some security lapses that impacted its stock price. In April, it was discovered that half a million Zoom accounts compromised by hackers were up for sale on the dark web.

Update 6/8/20:

Cisco TALOS has worked in concert with Zoom which then pushed its V5 update to all users on 5/30. It's critical to ensure your Zoom installation has received this patch, which as of this article update is version: 5.0.5 (26213.0602).
Tags:  security, zoom, (nasdaq:zm)
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment