A newly discovered bug in the Zoom Client for Windows could allow remote code-execution, according to researchers at 0patch, which disclosed the existence of the flaw on Thursday after pioneering a proof-of-concept exploit for it. The issue was confirmed for Threatpost by a Zoom spokesperson.
The 0patch team said that the vulnerability is present in any currently supported version of Zoom Client for Windows, and is unpatched and previously unknown — catnip for cybercriminals. However, it’s important to note that the flaw has a couple of big mitigating factors that reduce the concern around it. For one, it’s only exploitable on Windows 7 and older Windows systems, which are end-of-life and no longer supported by Microsoft.
Secondly, an attack requires user interaction. A target must first perform some typical action such as opening a document file for an exploit to work. That said, no security warning is shown to the user during the course of attack, according to the firm.
“Exploitation requires some social engineering – which is practically always the case with user-side remote code execution vulnerabilities,” Mitja Kolsek, 0patch co-founder, told Threatpost, adding that there’s no indication of in-the-wild exploits so far. “While a massive attacks is extremely unlikely, a targeted one is conceivable.”
0patch became aware of the flaw thanks to a “private researcher” who wants to remain anonymous—that person said no disclosure was made to Zoom, but 0patch itself did submit a report.
“We…documented the issue along with several attack scenarios, and reported it to Zoom earlier today along with a working proof of concept and recommendations for fixing,” Kolsec wrote in a Thursday posting. “Should a bug bounty be awarded by Zoom, it shall be waived in favor of a charity of researcher’s choice.”
Zoom, for it’s part, confirmed the zero-day to Threatpost and issued the following statement: “Zoom takes all reports of potential security vulnerabilities seriously. This morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it.”