Security experts at ACROS Security report that the new zero-day vulnerability affects Zoom’s Windows client, but only on old versions of Windows operating systems such as Windows 7 and Windows Server 2008 R2. Zoom clients onor according to Mitja Kolsek, CEO of ACROS Security, are not affected.
“The vulnerability allowed an attacker to run arbitrary code on the victim’s computer on which the Zoom client for Windows (any currently supported version) is installed by causing the user to perform some typical actions, such as opening a Document file, ”explains Kolsek. “No security warning is displayed to the user in the course of the attack,” he added.
Kolsek said that ACROS did not discover the vulnerability on its own but instead received it from a security researcher who wanted to keep his identity secret.
ACROS reported the zero-day vulnerability to Zoom and released an update to its 0patch client to prevent attacks for its own customers until Zoom released an official fix.
ACROS did not publish any technical details about the zero-day vulnerability, but a Zoom spokesperson confirmed the vulnerability and the accuracy of the report: “Zoom takes all reports of potential vulnerabilities seriously. We received a report this morning about an issue affecting Windows 7 and older users. We have confirmed this problem and are currently working on a patch to fix it quickly. ”There is no schedule yet when the fix will be available. However, a patch is currently in the works.
After discovering and disclosing several security issues with the Zoom service, the company stopped developing all new features on April 1 to focus solely on security and privacy enhancements and bug fixes. This period of feature freeze, during which the company focused on improving application security, ended on July 1, 2020.
Earlier, on June 24, Zoom hired Jason Lee, who previously served as Senior Vice President of Security Operations at Salesforce, as a new Chief Information Security Officer (CISO).
During the feature freeze period, Zoom also worked with Luta Security to help the company set up a professional bug bounty program. Zoom and Luta Security ended their collaboration on the day Lee was hired.