Researchers have discovered a zero-day vulnerability in Zoom that can be exploited to initiate remote code execution (RCE) attacks.
The Zero Day Initiative’s Pwn2Own competition pits white-hat cybersecurity experts and teams against one another in the detection of vulnerabilities in common applications and services.
— Zero Day Initiative (@thezdi) April 7, 2021 There were 23 entrants in the most recent competition, with web browsers, virtualization applications, servers, enterprise communication, and local escalation of privilege among the categories. The financial incentives for good entrants can be substantial — in this case, Daan Keuper and Thijs Alkemade won $200,000 for their Zoom discovery. Computest researchers demonstrated a three-bug attack chain that resulted in an RCE on a target machine without requiring any user interaction. The technical specifics of the vulnerability are being held under wraps because Zoom has not yet had time to fix the crucial security flaw. However, an animation of the attack in action shows how, after exploiting the vulnerability, an attacker was able to open the calculator program on a computer running Zoom. The assault works on both Windows and Mac versions of Zoom, according to Malwarebytes, although it has not yet been tested on iOS or Android. The videoconferencing software’s browser edition is unaffected. Zoom thanked the Computest researchers and said it was “working to mitigate this issue with respect to Zoom Chat.” in a statement to Tom’s Guide. Zoom Video Webinars and in-session Zoom Meetings are unaffected. Vendors have a 90-day window to fix the security vulnerabilities discovered, as is common procedure in vulnerability disclosure programs. Users may simply have to wait for a fix to be released, but if they are concerned, they can use the browser version in the meantime.