Video
conferencing software Zoom is again in the spotlight over an alleged critical
vulnerability that could allow an attacker to take over the victim’s computer
and all data on it.
Discovered
by an unnamed security researcher and reported to Acros Security, the
vulnerability is said to be present in all versions of Zoom for Windows, but reportedly
only affects Windows 7 and older versions of the OS. According to Acros CEO
Mitja Kolsek, the flaw is likely also exploitable on Windows Server 2008 R2 and
earlier versions.
The
vulnerability is apparently serious, as it allegedly allows a malicious actor to
run any code on the victim’s system – essentially any type of malware
(ransomware, keylogger, etc.), as well as spy on the user or copy the contents
of the hard drive.
It is
unclear why the hacker needs to exploit a vulnerability in Zoom if the attack “can
be pulled off by getting the victim to perform a typical action such as opening
a received document file,” as relayed by Acros to Help Net Security.
Kolsek says
the flaw can be exploited through several attack scenarios, but his company is
holding off more detailed information and the proof-of-concept (PoC) until Zoom
Video Communications acts on its flawed product. A temporary ‘micropatch’
developed by Kolsek’s company is reportedly available.
Bitdefender
cannot verify the efficacy of the patch and recommends setting Zoom aside until
an official fix arrives from the vendor. It is also recommended to stop using
any deprecated operating system and upgrade to a newer version supported with
security updates.