A zero-day vulnerability in Zoom leaves Windows 7 vulnerable to hackers

Zoom Client for old Windows versions could allow remote code execution 

Zoom zero-day vulnerability detected

Zoom zero-day vulnerability detected

Zoom – a widely used conferencing software developed by Nasdaq could be exploited by hackers due to a security flaw allowing remote code execution. According to the zero-day researchers from ACROS Security[1] who have reported the issue on Thursday, the existing flaw impacts Zoom Windows clients[2]

The team of cybersecurity experts has disclosed the flaw after the investigation of a proof-of-concept exploits and respectively informed Zoom’s team. The latter has confirmed the flaw and the potential vulnerability and explained that the zero-day vulnerability patch is on the way. It is expected to be released until the end of July and available on the official Zoom’s website. 

The security firm also confirmed that the Zoom zero-day vulnerability impacts the older Windows versions, including Windows 7, Windows Server 2008 R2, and others. At the time, Windows 8 and Windows 10 cannot be exploited for remote code execution. 

The users of old Windows versions can download a micro-patch developed by 0patch researchers[3]. The micro-patch blocks the remote code execution due to the zero-day vulnerability on Zoom versions starting with v5.0.3 up to v5.1.2. 

A request to open a document file can allow attackers to execute an attack

The zero-day vulnerability in Zoom Windows hasn’t yet been publicly exploited. Besides, as pointed out by the 0patch cybersecurity team, the vulnerability is not likely to become mainstream due to a couple of mitigating factors. First of all, the restriction of the zero-day flaw to Windows 7 and prior versions. The OS versions that already came to the end of support are decreasing the rate of users and the interest of hackers is steadily switching to newer Windows versions. 

In addition, the remote code execution via Zoom’s security flaw requires users’ interaction. To run the malicious code, the potential victim is asked to open a document, click on a link, enable Macros, or perform suchlike social-engineering trickster. The trick may fail if the user is aware of suchlike attempts to execute malicious commands. However, less experienced users may easily fall for the Zoom’s zero-day vulnerability exploit. No AV tools are currently capable of detecting a malicious attempt. As pointed out by Mitja Kolsek, a 0patch co-founder, 

The vulnerability allows a remote attacker to execute arbitrary code on victim’s computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file. […] No security warning is shown to the user in the course of attack. 

 Zoom is working on a patch

The company that has detected the Zoom zero-day flaw did not introduce itself as they required anonymity. However, several cybersecurity firms, including ACROS Security and 0patch, take the responsibility to check the vulnerability and report it to the Nasdaq. 

ACROS was the first to contact with Zoom that responsively confirmed[4] the flaw and released a comment on the issue saying:

Zoom takes all reports of potential security vulnerabilities seriously. This morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it.

Although the company did not clarify when the security update release for Zoom’s Windows clients is expected, the spokesperson clarified that the patch is in progress. Therefore, users of Windows 7 and earlier versions should regularly check the availability of Zoom’s updates[5] to patch the flaw. 

At the time, there are no technical details provided by Zoom or cybersecurity researchers, so commenting on the zero-day vulnerability and exploitation is not possible. The silence is currently the best way of protecting the users from hackers as disclosing all the details allows the attackers to exploit it, Kolsec claims.