Zoom Vulnerabilities Fixed
Zoom has fixed six vulnerabilities that were discovered by Google Project Zero. The vulnerabilities could be exploited by sending a message through Zoom chat over the Extensible Messaging and Presence Protocol (XMPP) to allow remote code execution; no user interaction is required. Users are urged to update to Zoom version 5.10.0.
The client-side fix was out in April. All Zoom client software now supports auto-update for faster patching – make sure it is turned on for managed devices and encourage users to enable auto update on personal devices. Same advice applies to most PC/Mac client software these days.
A few things happening here: XMPP parsing inconsistencies allowed inclusion of malicious content, known as XMPP Stanza Smuggling) and could be used to cause the client to connect to another server which could be a MITM; the update installer didn't fully check that what was being installed was really an update, allowing the client to be tricked into installing an older version with known vulnerabilities. The good news is Zoom has auto-update capabilities working on Mac and Windows now, the bad news is you may have to manually update to get to that version. Make sure your systems are running at least 5.10.0.
Enable the auto-update feature in your Zoom and every other piece of software that allows it. Do it for your friends and family as well.
Read more in
Ars Technica: Critical Zoom vulnerabilities fixed last week required no user interaction
ZDNet: Zoom patches XMPP vulnerability chain that could lead to remote code execution
The Register: Patch now: Zoom chat messages can infect PCs, Macs, phones with malware
Dark Reading: Zero-Click Zoom Bug Allows Code Execution Just by Sending a Message
Threatpost: Zoom Patches ‘Zero-Click’ RCE Bug
Chromium: Issue 2254: Zoom: Remote Code Execution with XMPP Stanza Smuggling