Vital Zoom vulnerabilities mounted final week required no consumer interplay

Critical Zoom vulnerabilities fixed last week required no user interaction

Enlarge (credit score: Zoom)

Google’s Undertaking Zero vulnerability analysis crew detailed crucial vulnerabilities Zoom patched final week making that made it potential for hackers to execute zero-click assaults that remotely ran malicious code on gadgets operating the messaging software program.

Tracked as CVE-2022-22786 and CVE-2022-22784, the vulnerabilities made it potential to carry out assaults even when the sufferer took no motion apart from to have the consumer open. As detailed on Tuesday by Google Undertaking Zero researcher Ivan Fratric, inconsistencies in how the Zoom consumer and Zoom servers parse XMPP messages made it potential to “smuggle” content material in them that often could be blocked. By combining these flaws with a glitch in the best way Zoom’s code-signing verification works, Fratric achieved full code execution.

“Person interplay is just not required for a profitable assault,” the researcher wrote. “The one capability an attacker wants is to have the ability to ship messages to the sufferer over Zoom chat over XMPP protocol.” Fratric continued:

Learn 2 remaining paragraphs | Feedback

Leave a Reply

Your email address will not be published. Required fields are marked *