Zoom users are advised to update their clients to version 5.10.0 to patch a number of holes found by Google Project Zero security researchers. Zoom’s chat functionality could be exploited to allow zero-click remote code execution (RCE).
• Zoom patched a medium-severity flaw, advising Windows, macOS, iOS and Android users to update their client software to version 5.10.0.
• Google Project Zero security researchers report that an attacker can exploit a victim’s machine over a zoom chat. The bug, tracked as CVE-2022-22787, has a CVSS severity rating of 5.9.
• In a security bulletin published by Zoom, CVE-2022-22786 (CVSS 7.5) affects the Windows users, while the other vulnerabilities, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impacted Zoom client versions before 5.10.0 running on Android, iOS, Linux, macOS, and Windows systems.
• User interaction is not required for an attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol.
• XMPP stands for Extensible Messaging Presence Protocol and is used to send XML elements called stanzas over a stream connection to exchange messages and presence information in real-time. This messaging protocol is used by Zoom for its chat functionality.
• The attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol.
• XMPP Stanza Smuggling vulnerability abuses parsing inconsistencies between XML parsers on Zoom’s client and server.
• The attacker can intercept and modify client update requests and responses in order to send the victim a malicious update, which will automatically download and execute.