The security researchers at Cisco Talos have discovered two new critical security flaws in the Zoom app that could allow an attacker to execute code on the victim’s computer by sending especially customed messages via chat.
We all are very familiar with the Zoom app, as it has been quite famous during this lockdown, due to the serious COVID-19 pandemic attack.
According to the security researchers at Cisco Talos, if you are using the Zoom app for any purpose like business, schooling, or any kind of social meeting, then you should have to use the newest version of this popular software on your Windows, macOS, and Linux computers.
This video conferencing software has millions of users, as it encourages work from home, and it helps to avoid face-to-face contact, which is must essential during this Coronavirus pandemic situation.
As per the information provided by the Cisco Talos cyber threat intelligence team, both the vulnerabilities were found in Zoom client version 4.6.10. These vulnerabilities could enable the attackers to hack easily into the systems of group chat of the members or an individual receiver remotely.
Here are the vulnerabilities discovered by the security experts:-
- TALOS-2020-1055/CVE-2020-6109: Zoom client application chat Giphy arbitrary file write.
- TALOS-2020-1056/CVE-2020-6110: Zoom client application chat code snippet remote code execution vulnerability.
Well, these two security flaws that have been discovered have path traversal flaws that can be easily exploited to address or plant temporary files into the systems that are running unprotected versions of the video conferencing software to perform ill-disposed or arbitrary code.
After the discovery of these two vulnerabilities, one of the flaws has been fixed by the Zoom in May, which was named as TALOS-2020-1056 (CVE-2020-6110).
In contrast, the other one is named as TALOS-2020-1055 (CVE-2020-6109), though it’s not been fixed yet, but one of the researchers of Cisco Talos cleared that they believe that a client-side update will be required to mitigate any kind of risk entirely.
The first flaw (TALOS-2020-1056/CVE-2020-6110) is related to how the Zoom process the messages, as the researchers of Talos justified that if any hacker sent a specifically crafted message to people or groups, the vulnerability could be set off. Thus it enables attackers to put up several malicious files on users’ computers, outwardly any user cooperation.
Well, the second security flaw (TALOS-2020-1055/CVE-2020-6109) is also associated with the Zoom customer process messages, but this deals with the messages that contain several animated GIFs, later which can be used to exploit the arbitrary code in the target’s system.
To make the whole matter brief and clear, the security experts of the Cisco Talos have tested the security holes very properly, and then they reported the whole matter to the company.
Moreover, the founder of the company, Eric S. Yuan, stated in one of his blogs that the company would implement end-to-end encryption to the paid users and corporate customers. In short, if you are using the free version of the Zoom video conferencing app, then you won’t get the end-to-end encryption.
Apart from this, they have also clarified that now the company wants to provide necessary information on free customers’ conversations to law implementation just in case they perpetrate any type of crimes. Therefore the company voted to drop those types of customers outwardly and make the end-to-end encryption exclusive to the paid users only.
However, to patch these two security holes, Zoom has already released the patched just last month for both of these vulnerabilities along with the new version 4.6.12 for all the major platforms, Windows, Linux, and macOS.
So, what do you think about this? Share all your views and thoughts in the comment section below.