Zoom videoconferencing is hugely popular as a result of the global lockdown, as remote workers are using it to connect with business and social engagements; but it's recommended to make sure you're running the latest version of the Zoom software on your PC.
While the most-anticipated Zoom end-to-end encryption feature, though only available to paid users, is a welcome development to solve the critical privacy and security issues that have saddled the videoconferencing software. Besides, there is a latest warning about newly discovered vulnerabilities in Zoom chat.
According to researchers at Cisco Talos, two critical vulnerabilities have been discovered in the Zoom software that could allow hackers access into the systems of an individual recipient or group chat participants remotely.
Two Critical Flaws in Zoom videoconferencing software
The two flaws in Zoom are both path traversal vulnerabilities that can be exploited to run arbitrary codes on the systems running a vulnerable version of the video conferencing software.
The first vulnerability, marked as (CVE-2020-6109) resided in how the videoconferencing software leverages GIPHY service, which service was recently bought by Facebook, to allow its users search and use animated GIFs while chatting. While the second vulnerability (CVE-2020-6110) resided in how Zoom application process code snippets shared via chat.
The security researchers were able to successfully exploit both of the flaws, as they require very little or no interaction from targeted chat participants and can be executed by simply sending specially crafted messages via the chat feature to any individual or a group.
Zoom application failed to check whether a shared GIF is loading from Giphy service or not, which is the bane that could allow an attacker to embed GIFs from a third-party controlled server, which by design is cached/stored on the recipients' system in a specific folder associated with the Zoom application.
How to Mitigate against the Flaws
The researchers from Cisco Talos tested both flaws on the Zoom client application version 4.6.10 and had responsibly reported it to the company. And Zoom has released version 4.6.12 of its video conferencing software for Windows, macOS, or Linux with the patch for the both critical vulnerabilities.
It is therefore recommended that all users should upgrade to the latest version of the Zoom client application version 4.6.10 released last month.