Critical Zoom vulnerabilities fixed last week required no user interaction

 In Biz & IT, exploits, patches, vulnerabilities, zoom

Critical Zoom vulnerabilities fixed last week required no user interaction

Serving the Technologist for more than a decade. IT news, reviews, and analysis.
Critical Zoom vulnerabilities fixed last week required no user interaction

Enlarge (credit: Zoom)

Google’s Project Zero vulnerability research team detailed critical vulnerabilities Zoom patched last week making that made it possible for hackers to execute zero-click attacks that remotely ran malicious code on devices running the messaging software.

Tracked as CVE-2022-22786 and CVE-2022-22784, the vulnerabilities made it possible to perform attacks even when the victim took no action other than to have the client open. As detailed on Tuesday by Google Project Zero researcher Ivan Fratric, inconsistencies in how the Zoom client and Zoom servers parse XMPP messages made it possible to “smuggle” content in them that usually would be blocked. By combining those flaws with a glitch in the way Zoom’s code-signing verification works, Fratric achieved full code execution.

“User interaction is not required for a successful attack,” the researcher wrote. “The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol.” Fratric continued:

Read 2 remaining paragraphs | Comments

If your machine failed to get them automatically, you’re not alone.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt