Zero-day flaw in Zoom could allow hackers to execute arbitrary code, researchers warn

0patch has released a free patch for older Windows machines

Researchers at cyber security firm 0patch claim to have uncovered a remote code execution (RCE) zero-day vulnerability in Zoom Client for Windows, which could enable hackers to run arbitrary code on vulnerable machines.

The bug was originally discovered by an unnamed security researcher, who reported it to the researchers at 0patch. The firm then documented the issue along with several attack scenarios, and reported it to Zoom on 9th July 2020.

A working proof of concept (PoC) exploit and recommendations to fix the issue were also submitted to Zoom.

According to researchers, the vulnerability, which was previously unknown, exists in all supported versions of the Zoom client for Windows. However, the flaw is only exploitable on Windows 7 and older Windows systems, which are no longer supported by Microsoft.

Moreover, an attacker would require user interaction, such as opening a document file, before being able to exploit the vulnerability on the target system.

According to 0patch, no security warning is shown to the targeted user during the course of attack.

"While Microsoft's official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life with Microsoft's Extended Security Updates or with 0patch," said Mitja Kolsek of 0patch Team.

Kolsek revealed that 0patch has pushed out a 'micropatch' to close the security hole until Zoom delivers a permanent fix to address the issue.

This micropatch, created by 0patch, removes the vulnerability at four different places in the code and is available for free to 0patch users.

This is, however, not the first instance where a security bug has been reported in Zoom's apps.

In April, two bugs were uncovered, which could have allowed hackers to take over a Zoom user's Mac and access the microphone and webcam on the device. Zoom patched those issues upon being alerted to them.

The same month, Zoom announced version 5.0 of its video conferencing app which included a number of security fixes, stating that it will come would a variety of new security features to deliver "happiness" to customers around the world.