Detect 2 serious security holes in the Zoom application

Recently, Cisco Talos security researchers have discovered two serious security holes in the Zoom application. These vulnerabilities allow hackers to attack and infiltrate the computers of people in the group chat. After invading, hackers can install and run malicious code on Zoom users' computers.

To avoid being affected by the above two vulnerabilities, security experts recommend that Zoom users should update to the latest version of this application. Zoom is currently one of the preferred software for meetings and online learning.

According to the researchers, to successfully exploit this vulnerability, hackers do not need the interaction of victims. Instead, they only need to send directly to the victim or victim group special designed messages. 

The first flaw (CVE-2020-6109) lies in the way Zoom takes advantage of the GIPHY service, which allows users to search and send GIFs while chatting. The researchers found that Zoom did not check if the GIF was actually loaded from GIPHY. This allows hackers to embed GIF images from third-party servers controlled by them.

These GIFs are designed to contain malware and executable code to trick users into saving them in specific folders. Moreover, Zoom has no mechanism to clean the file name, so hackers can easily set up to save the disguised malicious code as a GIF image to the system folder on the victim's computer.

The second vulnerability (CVE-2020-6110) lies in the way the older version of Zoom handles the featured code snippets shared in the message. "Zoom's chat function is built on the XMPP standard with add-ons to provide a rich user experience. One of the extensions that allows the addition of featured snippets in conversation. "This feature requires the sender to install additional plugins, but the recipient doesn't need to install it," the researchers shared.

Before sending, this feature creates a zip file of the highlighted code and then decompresses it on the recipient's computer. Zoom does not validate the contents of the zip file before unzipping, so hackers can create arbitrary files to send to the target computer. The flaw even allows hackers to extract zip files in other folders on the target's computer.

These two vulnerabilities appeared on Zoom version 4.6.10 and earlier. Receiving a warning from Cisco Talos researchers, Zoom has now released version 4.6.12 for Windows, macOS and Linux to fix the aforementioned vulnerabilities.