Zoom has patched up a security flaw in its video-conferencing software that could be exploited with chat messages to execute malicious code on a victim’s device. The bug received a CVSS severity score of 5.9 from 10 — a medium-severity vulnerability.
The bug affects Zoom Client for Meetings running on iOS, Android, macOS, Linux, and Windows before version 5.10.0. Zoom has advised users to download the latest version of its software to protect against the arbitrary remote-code-execution vulnerability.
The upshot of the bug is that someone who can send chat messages could cause the vulnerable Zoom client app to install malicious code, such as spyware or malware, from an arbitrary server.
Zoom explained in a security bulletin, earlier software versions failed “to properly validate the hostname during a server switch request”.
The flaw was reported by Google’s Project Zero bug hunter Ivan Fratric, who reported it to the videoconferencing giant in February. Fratric explained in a report that no user interaction was required to pull off an attack.
“The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Fratric said in the report.
Zoom’s popularity skyrocketed after Covid-induced lockdowns forced millions of office workers to work from home. The company hit 300 million daily users in April 2020, a massive surge from a paltry 10 million daily users in December 2019. Following the surge in its popularity, security and privacy experts scrutinised its policies.
The company’s end-to-end encryption was found to be flawed. Its privacy policies also seemed to allow the company to do whatever it wanted with personal data. While Zoom has fixed most of these flaws, newer issues still crop up.
With all these issues surfacing, users have started to look for alternatives such as Skype and Google Hangouts.