Zoom working on patching zero-day disclosed in Windows client

UPDATE: The zero-day has now been patched. Updates are available to Zoom Windows users.

Zoom

Image: Zoom, ZDNet

Video conferencing software Zoom is working on patching a zero-day vulnerability that was disclosed online earlier today in a blog post by cyber-security firm ACROS Security.

The security firm said the zero-day impacts Zoom's Windows client, but only when the clients are running on old Windows OS versions, such as Windows 7 and Windows Server 2008 R2 and earlier.

Zoom clients running on Windows 8 or Windows 10 are not affected, according to ACROS Security CEO Mitja Kolsek.

"The vulnerability allows a remote attacker to execute arbitrary code on victim's computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file," Kolsek said.

"No security warning is shown to the user in the course of attack," he added.

Kolsek said ACROS did not discover the vulnerability by itself, but instead received it from a security researcher who wanted to keep their identity secret.

ACROS reported the zero-day to Zoom earlier today and released an update to its 0patch client to prevent attacks for its own customers until Zoom releases an official fix. A demo of the zero-day being exploited, and then blocked by the 0patch client is available below.

ACROS didn't publish any kind of technical details about the zero-day, but in a canned statement ZDNet received today from a Zoom spokesperson, the company confirmed the vulnerability and the report's accuracy.

"Zoom takes all reports of potential security vulnerabilities seriously. This morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it."

A Zoom spokesperson could not commit to a timeline of when the fix would be available due to the unpredictability of developing a comprehensive fix; however, a patch is currently in the works.

Zero-day disclosed days after "feature freeze" ended

After the discovery and disclosure of several security issues with Zoom's service, on April 1, the company paused development on all new features to focus solely on security and privacy-related improvements and bug fixes.

This period of feature freeze during which the company focused on improving the app's security ended on July 1, last week.

Days before, on June 24, Zoom also hired a new Chief Information Security Officer (CISO) in Jason Lee, who previously served as Salesforce's Senior Vice President of Security Operations.

During its feature freeze period, Zoom also hired Luta Security to help the company set up a professional bug bounty program. Zoom and Luta Security ended their collaboration on the day of Lee's hiring.

Updated on July 10, 12:00pm ET to add that Zoom has released a patch for its Windows client to address the zero-day described by ARCOS Security. The update can be downloaded from the Zoom client download page. The patched version is Zoom for Windows v5.1.3.