Critical Zoom vulnerabilities patched last week required no user interaction


Google’s Project Zero vulnerability research team detailed critical vulnerabilities that Zoom patched last week, which allowed hackers to execute no-click attacks that remotely executed malicious code on devices running the messaging software.

Tracked as CVE-2022-22786 and CVE-2022-22784, the vulnerabilities allowed attacks to be performed even when the victim took no action other than opening the client. As detailed Tuesday by Google Project Zero researcher Ivan Fratric, inconsistencies in how the Zoom client and Zoom servers parse XMPP messages have allowed content to be “smuggled” into them that would typically be blocked. By combining these flaws with a problem in the operation of Zoom’s code signature verification, Fratric achieved full code execution.

“User interaction is not required for a successful attack,” the researcher wrote. “The only capability an attacker needs is to be able to send messages to the victim via Zoom chat using the XMPP protocol.” Fratric continues:

The initial vulnerability (tagged XMPP Stanza Smuggling) exploits parsing inconsistencies between XML parsers on Zoom’s client and server so it can “pass” arbitrary XMPP stanzas to the victimized client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack. Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in the execution of arbitrary code. A client demotion attack is used to bypass signature verification on the update installer. This attack has been demonstrated against the latest client (5.9.3) running on 64-bit Windows, but some or all parts of the string are likely applicable to other platforms.

In December, Zoom finally joined the 21st century by giving macOS and Windows customers the ability to automatically update. The severity of the vulnerabilities patched last week highlights the importance of automatic updating. Often hours or days after updates like these become available, hackers have already reverse-engineered them and used them as a roadmap for exploits. And yet, one of the computers I regularly use for Zoom hadn’t installed the patches yet until Wednesday, when I thought about choosing the “Check for updates” option.

In order for my Zoom client to update automatically, I had to run an intermediate version first. Once I updated manually, auto-update was finally in place. Readers may want to check their systems to make sure they are also using the latest version.

#Critical #Zoom #vulnerabilities #patched #week #required #user #interaction