New Zoom Video Conferencing App flaw lets potential hackers gain access to the PC/laptop/smartphone of participants via messages
Just two days back we had discussed how Zoom video conferencing App developers were raking in the moolah despite the security concerns. Researchers at Talos Intelligence have discovered two new flaws in Zoom App which can allow potential hackers to remotely execute code on the participant’s PC/laptop/smartphones.
Talos researchers found the two vulnerabilities in the popular Zoom video chatting App that allows a malicious user in the conference to execute arbitrary code on victims’ devices.
The first vulnerability found by Talos researchers has been given CVE identifier CVE-2020-6109 and exists in the Zoom App version 4.6.10. This particular flaw allows any potential hacker to send a specially crafted malware-laden message to the Zoom participant and gain access to the device. Talos researchers explained that the vulnerability is due to improper limitation of a pathname to a restricted directory that causes path traversal. Any hacker could use this vulnerability to send a specifically crafted message that could arbitrarily execute file read/write and gain remote control of the device.
The actual vulnerability lies in the fact that filenames are not sanitized in any way and allow for directory traversal. This means that a specially crafted id attribute of the Giphy tag could contain a special file path that would write a file outside Zoom’s install directory and indeed in any directory writable by the current user.
The second flaw found by Talos researchers has been given the CVE-2020-6110 identifier. This vulnerability exists in two Zoom App versions, 4.6.10 & 4.6.11. Any potential hacker could send a specially crafted message from the attacker using this vulnerability to achieve remote code execution.
An exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages including shared code snippets. A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability. For the most severe effect, target user interaction is required.
Talos Intelligence submitted both the vulnerabilities to Zoom App developers and both the flaws have been fixed in the May 30th update. If you have not updated to the latest Zoom version, your PC/laptop and smartphone is still vulnerable to this flaw.
Do remember, that due to popularity of Zoom video clients during coronavirus pandemic, Zoom users are prime targets for hackers and cybercriminals. You should immediately update your Zoom App or shift to some other video conferencing App as soon as possible.