A zero-day vulnerability in the Zoom Windows client that could potentially allow remote code execution has now been patched by Zoom. The flaw only affected users running Windows 7 or earlier Windows versions. Later Windows versions were unaffected.
Last week, Acros Security announced in a blog post that a zero-day vulnerability had been discovered, and Zoom was notified around the same time. Details about the flaw were not publicly released, but it is believed the flaw could be exploited if a Zoom user on a vulnerable system was convinced to open a malicious email attachment or visit a malicious webpage. Some user interaction was required to exploit the flaw, but once that interaction had occurred, the attacker could exploit the flaw without triggering any alerts.
The flaw was discovered by an unnamed security researcher who passed on the details to 0patch. 0patch released a micropatch to address the flaw that could be applied free of charge, but details of the flaw were not released, pending a patch from Zoom.
Zoom corrected the flaw in Zoom version 5.1.3 on July 10, 2020. All users of Zoom on legacy Windows versions have been advised to download the latest version of the Zoom client as soon as possible.
An update was also released on July 12, 2020 for phone and web users. The update upgrades encryption from AES-128 bit to AES-256 bit, adds a call monitoring feature for mobile users, a customized speed dial function, and several other features, such as allowing a user to speak with a meeting participant without the knowledge of other members of the meeting, the option of creating a shared directory of external contacts, and the option of transferring active calls to the voicemail inbox of another user. The update also includes several fixes for minor bugs.
To ensure that updates are automatically applied as soon as they are released, users are being encouraged to activate auto-updates.