Zoom Security Flaws Allowed Systems Hijacking

Security researchers  have caught a couple of security flaws in Zoom that allowed systems hijacking. As stated in their advisory, both of these were path traversal vulnerabilities that allowed an adversary to hack users’ systems via Zoom chats. The first of these bugs, CVE-2020-6109 existed in the way the Zoom app processed messages containing GIFs.

An attacker could simply send a specially crafted file to the target user or in a group to exploit the bug. This would result in arbitrary file write leading to code execution. The other vulnerability CVE-2020-6110 existed in the Zoom processing of messages containing shared code snippets. Though, an adversary could trigger arbitrary binary planting to achieve code execution by sending a maliciously crafted message. However, for a severe impact, the bug required user interaction.

Both the vulnerabilities affected Zoom version 4.6.10, whereas the flaw CVE-2020-6110 also affected 4.6.11 and prior versions. Upon discovering the bugs, researchers reached out to Zoom in April 2020 to inform them of the flaw. Following their report, Zoom fixed both the vulnerabilities in the subsequent update. Yet, the latest Zoom version available for the users is Zoom 5.0.5 to which the users should upgrade.

Even after updating to this version, users of Zoom should keep updating their devices with the latest software version since the vendors keep on fixing various security bugs as the researchers identify and report them. Moreover, besides releasing security fixes, the latest Zoom versions also include different new security features.

The most notable of these are AES 256-bit GCM encryption on meeting data and controlled data routing. These changes are all available with Zoom version 5.0. Nonetheless, users can visit the Zoom Download Center to know about the latest versions available for their devices