Video conferencing software Zoom is again in the spotlight over an alleged critical vulnerability that could allow an attacker to take over the victim’s computer and all data on it.
Discovered by an unnamed security researcher and reported to Acros Security, the vulnerability is said to be present in all versions of Zoom for Windows, but reportedly only affects Windows 7 and older versions of the OS. According to Acros CEO Mitja Kolsek, the flaw is likely also exploitable on Windows Server 2008 R2 and earlier versions.
The vulnerability is apparently serious, as it allegedly allows a malicious actor to run any code on the victim’s system – essentially any type of malware (ransomware, keylogger, etc.), as well as spy on the user or copy the contents of the hard drive.
It is unclear why the hacker needs to exploit a vulnerability in Zoom if the attack “can be pulled off by getting the victim to perform a typical action such as opening a received document file,” as relayed by Acros to Help Net Security.
Kolsek says the flaw can be exploited through several attack scenarios, but his company is holding off more detailed information and the proof-of-concept (PoC) until Zoom Video Communications acts on its flawed product. A temporary ‘micropatch’ developed by Kolsek’s company is reportedly available.
Bitdefender cannot verify the efficacy of the patch and recommends setting Zoom aside until an official fix arrives from the vendor. It is also recommended to stop using any deprecated operating system and upgrade to a newer version supported with security updates.