New Zoom Flaws Could Allow Attackers to Hack Victims Simply by Sending a Message ,Zoom, a popular video conferencing service, has patched four security flaws that may be used to infect another user through chat by sending specially designed Extensible Messaging and Presence Protocol (XMPP) messages and executing malicious code.
The problems vary in severity from 5.9 to 8.1 and are tracked from CVE-2022-22784 to CVE-2022-22787. In February 2022, Ivan Fratric of Google Project Zero was credited with detecting and disclosing all four issues.
The following are the bugs:
- 2022-22784 CVE (CVSS score: 8.1) – Inadequate XML Parsing in the Zoom Client for Meetings
- 2022-22785 CVE (CVSS score: 5.9) – Session cookies in the Zoom Client for Meetings are incorrectly restricted.
- 2022-22786 CVE (CVSS score: 7.5) – Zoom Client for Meetings for Windows update package downgrade
- CVE-2022-22787 (CVSS 5.9) – Inadequate hostname validation after server transition in Zoom Client for Meetings
Because Zoom’s chat functionality is built on the XMPP standard, successful exploitation of the vulnerabilities could allow an attacker to force a vulnerable client to masquerade as a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution from a downgrade attack.
The zero-click attack sequence was named “XMPP Stanza Smuggling” by Fratric, who added that “one user could be able to spoof messages as if they were originating from another user” and that “an attacker might send control messages that will be accepted as if they were coming from the server.”
The problems, at their heart, take advantage of parsing incompatibilities between Zoom’s client and server XML parsers to “smuggle” arbitrary XMPP stanzas — a basic unit of communication.
The attack chain, in particular, may be used to hijack the software update procedure and force the client to connect to a man-in-the-middle server that offers up an older, less secure version of the Zoom client.
While the downgrade attack only affects the Windows version, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 affect Android, iOS, Linux, macOS, and Windows.
The updates come less than a month after Zoom patched two critical holes (CVE-2022-22782 and CVE-2022-22783) that might lead to local privilege escalation and memory content leakage in its on-premise Meeting services. Another instance of a downgrade attack (CVE-2022-22781) in Zoom’s macOS app was also addressed.
Users of the program are advised to update to the most recent version (5.10.0) in order to mitigate any potential dangers.
Have you enjoyed reading this article? To read more exclusive material from THN, follow us on Facebook. New Zoom Flaws Could Allow Attackers to Hack Victims Simply by Sending a Message