{"id":40391,"date":"2021-04-09T15:51:57","date_gmt":"2021-04-09T15:51:57","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/32180\/Critical-Zoom-Vulnerability-Triggers-Remote-Code-Execution-Without-User-Input.html"},"modified":"2021-04-09T15:51:57","modified_gmt":"2021-04-09T15:51:57","slug":"critical-zoom-vulnerability-triggers-remote-code-execution-without-user-input","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/critical-zoom-vulnerability-triggers-remote-code-execution-without-user-input\/","title":{"rendered":"Critical Zoom Vulnerability Triggers Remote Code Execution Without User Input"},"content":{"rendered":"
<\/div>\n

A zero-day vulnerability in Zoom which can be used to launch remote code execution (RCE) attacks has been disclosed by researchers.  <\/p>\n

Pwn2Own, organized by the Zero Day Initiative, is a contest for white-hat cybersecurity professionals and teams to compete in the discovery of bugs in popular software and services.  <\/p>\n

The latest competition included 23 entries, competing in different categories including web browsers, virtualization software, servers, enterprise communication, and local escalation of privilege.  <\/p>\n

For successful entrants, the financial rewards can be high — and in this case, Daan Keuper and Thijs Alkemade earned themselves $200,000 for their Zoom discovery.  <\/p>\n

The researchers from Computest demonstrated<\/a> a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction.  <\/p>\n

As Zoom has not yet had time to patch the critical security issue, the specific technical details of the vulnerability are being kept under wraps. However, an animation of the attack<\/a> in action demonstrates how an attacker was able to open the calculator program of a machine running Zoom following its exploit.  <\/p>\n

As noted by Malwarebytes<\/a>, the attack works on both Windows and Mac versions of Zoom, but it has not — yet — been tested on iOS or Android. The browser version of the videoconferencing software is not impacted.  <\/p>\n

<\/section>\n

In a statement to Tom’s Guide<\/a>, Zoom thanked the Computest researchers and said the company was “working to mitigate this issue with respect to Zoom Chat.” In-session Zoom Meetings and Zoom Video Webinars are not affected. <\/p>\n

“The attack must also originate from an accepted external contact or be a part of the target’s same organizational account,” Zoom added. “As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust.” <\/p>\n

Vendors have a 90-day window, which is standard practice in vulnerability disclosure programs, to resolve the security issues found. End-users just need to wait for a patch to be issued — but if worried, they can use the browser version in the meantime.  <\/p>\n

“This event, and the procedures and protocols that surround it, demonstrate very nicely how white-hat hackers work, and what responsible disclosure means,” Malwarebytes says. “Keep the details to yourself until protection in the form of a patch is readily available for everyone involved (with the understanding that vendors will do their part and produce a patch quickly).” <\/p>\n

Other successful attacks<\/a> of note during the content include: <\/p>\n