Google’s Project Zero vulnerability research team has detailed critical vulnerabilities in Zoom patched last week This allowed hackers to perform zero-click attacks, remotely executing malicious code on devices running the messaging software.
The vulnerabilities, tracked as CVE-2022-22786 and CVE-2022-22784, allowed attacks to be carried out even if the victim did nothing but open the client. When in detail on Tuesday by Ivan Fratric, researcher at Google Project Zero, inconsistencies in the way the Zoom client and servers parse XMPP messages allowed content to be “smuggled in” that would normally be blocked. By combining these errors with a flaw in the way Zoom’s code signature verification works, Fratric achieved full code execution.
“No user interaction is required for a successful attack,” the researcher wrote. “The only skill an attacker needs is to send messages to the victim over the Zoom chat using the XMPP protocol.” Fratric continued:
The initial vulnerability (dubbed XMPP stanza smuggling) abuses the parsing of inconsistencies between XML parsers on Zoom’s client and server to “smuggle” arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control line, the attacker can force the victim client to connect to a malicious server, turning this primitive attack into a man-in-the-middle attack. Eventually, by intercepting/modifying client update requests/responses, the affected client downloads and executes a malicious update, leading to arbitrary code execution. A client downgrade attack is used to bypass update installer signature verification. This attack has been demonstrated against the latest (5.9.3) client on Windows 64-bit, however some or all parts of the chain are likely applicable to other platforms.
Finally, in December, Zoom entered the 21st century when it gave the macOS and Windows clients the ability to update automatically. The severity of the vulnerabilities fixed last week underscores the importance of automatic updating. Often, hackers will have reverse engineered these updates within hours or days of their availability and use them as an exploit roadmap. And yet, one of the computers I regularly use for Zoom still had to install the patches until Wednesday when I thought about selecting the “Check for updates” option.
In order for my Zoom client to update automatically, an intermediate version had to be running first. After I updated manually, the automatic update was finally in place. Readers can check their systems to ensure they are also running the latest version.
This article was previously published on Source link
