Threat intelligence organisation, Cisco Talos, has found two new critical flaws in viral video chat platform, Zoom, that allows attackers to execute malicious code on users’ machines. The security firm worked with Zoom to fix these issues and confirmed, via a blog post, that the video chat platform rectified the threats on its server but “still requires a fix on the client side”.
The first vulnerability exists in version 4.6.10 of Zoom’s software and is related to sending animated GIFs via the platform’s chat feature. “A specially crafted chat message can cause an arbitrary file write, which could potentially be further abused to achieve arbitrary code execution,” the company wrote in the blog post.
Essentially, when you post a GIF on the platform, it pings popular GIF search engine, Giphy’s servers. Through this, the attacker can get the platform to ping a different, arbitrary server, and use that to “further leak information or abuse other vulnerabilities”.
The second exploit is a remote code execution vulnerability in the same version of the Zoom software. “A specially crafted chat message can cause an arbitrary binary planting, which could be abused to achieve arbitrary code execution,” wrote Cisco Talos.
Talos has confirmed that both issues were fixed on version 4.6.12 of Zoom, and only versions 4.6.10, 4.6.11 and possibly versions before that are affected by the vulnerabilities. That means that if users are on version 4.6.12 or above of Zoom, this vulnerability does not affect them anymore. The issues had been reported to Zoom on 4 April and fixed by 28 May 28.
Zoom recently reported 169% year-on-year (YoY) growth in revenue for the quarter ended 30 April. The company has been one of the biggest beneficiaries of the new coronavirus pandemic-induced work from home and remote conferencing regimes, getting millions of new users.
The overnight growth had exposed many security loopholes in Zoom’s software, which prompted the company to go into a 90-day feature freeze, working only on fixing these issues. The timeline presented by Cisco Talos suggests that the two vulnerabilities were fixed as part of the 90-day event that Zoom conducted.