Critical Zoom vulnerabilities fixed last week did not require user interaction

Critical Zoom vulnerabilities fixed last week did not require user interaction


Google’s Project Zero vulnerability research team has detailed critical vulnerabilities that Zoom patched last week, making it possible for hackers to launch zero-click attacks that remotely executed malicious code on devices running the messaging software.

Tracked as CVE-2022-22786 and CVE-2022-22784, the vulnerabilities allowed attacks to be carried out even if the victim took no action other than opening the client. As pointed out Tuesday by Google Project Zero researcher Ivan Fratric, inconsistencies in the way the Zoom client and Zoom servers parse XMPP messages made it possible to “smuggle” content into it that would normally be blocked. Combining those errors with a glitch in the way Zoom’s code signing verification works, Fratric achieved full code execution.

“User interaction is not required for a successful attack,” the researcher wrote. “The only skill an attacker needs is to be able to send messages to the victim via Zoom chat using the XMPP protocol.” Fratric continued:

Initial vulnerability (labeled XMPP Stanza Smuggling) exploits parsing inconsistencies between XML parsers on Zoom’s client and server to “smuggle” arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim’s client to connect to a malicious server, turning the primitive into a man-in-the-middle attack. Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is used to bypass the signature check on the update installer. This attack has been demonstrated against the latest (5.9.3) client running on Windows 64-bit, but some or all parts of the chain are likely to apply to other platforms as well.

In December, Zoom finally entered the 21st century when it gave macOS and Windows clients the ability to update automatically. The severity of the vulnerabilities that were fixed last week underlines the importance of automatic updating. Often, within hours or days of such updates becoming available, hackers will have already reverse engineered them and use them as a roadmap for exploits. And yet, one of the computers I regularly use for Zoom had yet to install the patches until Wednesday, when I thought I’d choose the “Check for Updates” option.

In order for my Zoom client to update automatically, I had to run an intermediate version first. After I manually updated, the automatic update was finally in place. Readers may want to check their systems to make sure they are also running the latest version.

Leave a Comment