A Zero-Day vulnerability has been discovered in the Zoom application for Windows, which allows arbitrary code execution on the victim's computer. The attack does not trigger a security warning and is triggered by getting the user to open a received file or document.
The vulnerability was discovered by an unidentified researcher who reported it to 0patch, who reported it to Zoom. The vulnerability exists in all supported versions of the Zoom client for Windows, and the 0patch team created a micropatch to fix the vulnerability.
This flaw can only be exploited on clients installed on Windows 7 and earlier, due to a specific property of the system. It is likely that the vulnerability is also exploitable on Windows Server 2008 R2 and earlier versions, although it has not been tested. Although official Microsoft support for Windows 7 ended this January, there are still millions of users and companies that continue to use it.
Until Zoom publishes a solution, the steps for users who want to stay safe are:
- Temporarily stop using Zoom
- Update Windows to a newer version