Originally reported by a security researcher who wished to remain anonymous, a new Zoom zero-day affecting clients on Windows 7 or earlier has been discovered. The researcher shared their finding with ACROS, a security company who posted a small number of details about the Remote Code Execution (RCE) vulnerability. The researcher who found the zero-day did not report it to Zoom directly but gave permission of ACROS to report it to Zoom, which they did. Zoom confirmed the vulnerability and said that they were currently working on a patch for it. The issue is only exploitable on Windows 7 and older versions of Windows. According to the ACROS CEO, “the vulnerability allows a remote attacker to execute arbitrary code on victim’s computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file.” No technical details were released publicly about the zero-day, which will hopefully prevent threat actors from exploiting the vulnerability until a patch is released.
Analyst Notes
2020 has been a crazy year for Zoom, due to increased use and more attention from researchers leading to the discovery of many different security issues within their platform. On April 1st, 2020, the company put a freeze on all new development to focus on fixing security issues that were disclosed to them. This freeze ended on July 1st, 2020, and the new zero-day was disclosed days after. The vulnerability only affects Windows versions 7 and older, which are all past end-of-life and unsupported by Microsoft. Because Microsoft stopped supporting these systems, they are more vulnerable to attacks. If at all possible, anyone still using these systems should update as soon as possible to prevent more attacks like these from making them vulnerable. When a patch becomes available for this issue, anyone who uses Zoom on Windows 7 computers should download it immediately.
More can be read here: https://www.zdnet.com/article/zoom-working-on-patching-zero-day-disclosed-in-its-windows-client/
https://blog.0patch.com/2020/07/remote-code-execution-vulnerability-in.html