Zoom patches XMPP vulnerability chain that could lead to remote code execution
Zoom users have been advised to update their software to the latest version, 5.10.0, to fix a number of flaws detected by Google Project Zero researchers. According to the researcher who discovered the holes, Ivan Fratric, user interaction is not required for an attacker to successfully leverage the flaws. The only ability the attacher needs to capitalize on is sending messages to the victim over Zoom chat. Zoom uses different XML parsing libraries to send messages between Zoom’s server and clients. Using this technique, Fratric was able to uncover an attack chain that could ultimately lead to remote code execution via a specially crafted message.
Fratric states that a specially crafted message would enable attackers to connect with a man-in-the-middle server that served an old version of the Zoom client that existed in mid-2019. Zoom also stated that Fratric found a way to send user session cookies to a non-Zoom domain, which could allow for attackers to spoof the login page. The issues impact Android, iOS, Linux, macOS, and Windows. Fratric discovered the vulnerabilities back in February, but waited for Zoom to patch the server side issues and eventually release the fix in late April before releasing details.