In its video-conferencing platforms, Zoom patches several high-severity vulnerabilities found by safety researchers at Google Mission Zero.
In its video-conferencing platforms, Zoom patches several high-severity vulnerabilities found by safety researchers at Google Mission Zero.
One of the vulnerabilities patched with this update allowed remote code execution. Delivering a specially crafted message enabled a malicious actor to trick Zoom users into connecting to a central server without noticing any anomaly. The attacker could then undertake a more sophisticated attack. They could spoof messages as if they were incoming from another user. Perhaps they could govern all messages coming from the server and the client.
Identified by Common Vulnerabilities and Exposures (CVE) number CVE-2022-22784, this issue was published by Ivan Fratric, Google Project Zero security researcher .
“User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Fratric said (via).
This is quite a severe issue with a CVSS score of 8.1. It affected iOS, Android, macOS, Linux, and Windows Zoom apps.
The latest Zoom update also patches another high-severity vulnerability with CVE-2022-22786 discovered by Ivan Fratric. This bug prevented the Zoom client from adequately testing the build version of an installation package during the update process. A remote attacker could trick a user into weakening their Zoom app to a less secure version. This vulnerability had a CVSS score of 7.5 and only impacted the Windows Zoom client.
Ivan Fratric also revealed a medium-severity vulnerability on Zoom tracked as CVE-2022-22785; Zoom patched the issue with version 5.10.0.
It enabled spoofing of a user by sending their Zoom-scoped session cookies to a non-Zoom domain. This bug impacted the video conferencing app’s iOS, Android, Linux, macOS, and Windows clients.
Finally, the newest replacement for Zoom fixes one other medium-severity vulnerability that enables attackers to trick customers throughout a server swap request. Unsuspecting customers may connect to a malicious server as an alternative to Zoom. This opens up the chance for an extra extreme assault.
This subject was assigned the CVE quantity CVE-2022-22787. Zoom model 5.10.0 patches it to Android, iOS, Linux, macOS, and Home windows.
The authority urged users to update the program and ensure they have installed the latest version.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?