A zero-day vulnerability affecting the Zoom client for
Windows has been discovered that would allow an attacker to execute arbitrary
code on remote devices. Only Windows 7 and older OSes were affected, further
complicating the situation.
Zoom vulnerabilities pop up constantly, but that’s also
likely due in part to the app’s sudden popularity. The COVID-19 pandemic pushed
the Zoom app to the forefront, mostly because of permissive default features
that allowed people to use it without a premium account.
With so many users actively engaging in videoconferences,
it was just a matter of time before Zoom become an active target for hackers
and security researchers. Out of all possible problems, zero-day
vulnerabilities are the most troublesome.
In this case, it was a vulnerability available only in
Windows 7 and older products. Even if these products are no longer supported,
it doesn’t mean that they’re not used. In fact, Windows 7 still has a market
share of around 5%. Given the large number of PCs out there, that leaves a lot
of vulnerable devices.
“The vulnerability allows a remote attacker to
execute arbitrary code on victim’s computer where Zoom Client for Windows (any
currently supported version) is installed by getting the user to perform some
typical action such as opening a document file. No security warning is shown to
the user in the course of attack,” said
the researchers from 0patch who disclosed the exploit.
For unknown reasons, the researcher who found the problem
didn’t want to report the vulnerability to Zoom and left this job to 0patch.
Following disclosure, Zoom issued a patch that covered the Windows 7 version.
Unfortunately, it’s only a matter of time before other
security issues are found with Windows 7 and its interactions with other
software. Since Microsoft no longer supports the OS, the problems will only go
away when people stop using that operating system.