The flaw also affects older versions of the operating system, even if they're fully patched.

Dark Reading Staff, Dark Reading

July 10, 2020

2 Min Read

Update: Zoom confirmed it has patched the vulnerability in Zoom client version 5.1.3.

An unpatched and previously unknown security vulnerability has been discovered in the Zoom Client for Windows, affecting computers running Windows 7 and older OS versions. 

The vulnerability enables a remote attacker to execute arbitrary code on a victim's machine where Zoom Client for Windows – any supported version – is installed. The flaw could be exploited by tricking a user into performing a typical action, such as opening a document file. Users will not see a security warning over the course of the attack.

Zoom has confirmed the flaw and is working on a patch, Forbes reports. The videoconferencing company was informed by security firm 0patch, which learned of the bug from a researcher who requested anonymity. 0patch analysis confirmed it's only exploitable on Windows 7 and older systems. It may be exploitable on Windows Server 2008 R2 and earlier, though the systems weren't tested. 

It's important to note Windows 7 users are vulnerable to this kind of attack even if their systems are fully updated with extended security updates, 0patch points out. Zoom clients on Windows 8 and 10 are not affected. 0patch has released a micropatch to protect users of its 0patch agent as Zoom works on its own fix.

Microsoft terminated support for Windows 7 and Windows Server 2008 earlier this year, meaning technical assistance and software updates via Windows Update are longer available.

Read more details here

VIRTUAL-BLACKHAT-VPLUG_468x60.png

 

 

Black Hat Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for detail on conference information and to register.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights