Update: Zoom confirmed it has patched the vulnerability in Zoom client version 5.1.3.
An unpatched and previously unknown security vulnerability has been discovered in the Zoom Client for Windows, affecting computers running Windows 7 and older OS versions.
The vulnerability enables a remote attacker to execute arbitrary code on a victim's machine where Zoom Client for Windows – any supported version – is installed. The flaw could be exploited by tricking a user into performing a typical action, such as opening a document file. Users will not see a security warning over the course of the attack.
Zoom has confirmed the flaw and is working on a patch, Forbes reports. The videoconferencing company was informed by security firm 0patch, which learned of the bug from a researcher who requested anonymity. 0patch analysis confirmed it's only exploitable on Windows 7 and older systems. It may be exploitable on Windows Server 2008 R2 and earlier, though the systems weren't tested.
It's important to note Windows 7 users are vulnerable to this kind of attack even if their systems are fully updated with extended security updates, 0patch points out. Zoom clients on Windows 8 and 10 are not affected. 0patch has released a micropatch to protect users of its 0patch agent as Zoom works on its own fix.
Microsoft terminated support for Windows 7 and Windows Server 2008 earlier this year, meaning technical assistance and software updates via Windows Update are longer available.
Read more details here.