Detect 2 serious security holes in the Zoom application
Recently, Cisco Talos security researchers have discovered two serious security holes in the Zoom application. These vulnerabilities allow hackers to attack and infiltrate the computers of people in the group chat. After invading, hackers can install and run malicious code on Zoom users' computers.
To avoid being affected by the above two vulnerabilities, security experts recommend that Zoom users should update to the latest version of this application. Zoom is currently one of the preferred software for meetings and online learning.
Security experts recommend users to update to the latest version of ZoomAccording to the researchers, to successfully exploit this vulnerability, hackers do not need the interaction of victims. Instead, they only need to send directly to the victim or victim group special designed messages.
The first flaw (CVE-2020-6109) lies in the way Zoom takes advantage of the GIPHY service, which allows users to search and send GIFs while chatting. The researchers found that Zoom did not check if the GIF was actually loaded from GIPHY. This allows hackers to embed GIF images from third-party servers controlled by them.
These GIFs are designed to contain malware and executable code to trick users into saving them in specific folders. Moreover, Zoom has no mechanism to clean the file name, so hackers can easily set up to save the disguised malicious code as a GIF image to the system folder on the victim's computer.
The second vulnerability (CVE-2020-6110) lies in the way the older version of Zoom handles the featured code snippets shared in the message. "Zoom's chat function is built on the XMPP standard with add-ons to provide a rich user experience. One of the extensions that allows the addition of featured snippets in conversation. "This feature requires the sender to install additional plugins, but the recipient doesn't need to install it," the researchers shared.
Security holes recently discovered on Zoom allow hackers to attack a user's computer systemBefore sending, this feature creates a zip file of the highlighted code and then decompresses it on the recipient's computer. Zoom does not validate the contents of the zip file before unzipping, so hackers can create arbitrary files to send to the target computer. The flaw even allows hackers to extract zip files in other folders on the target's computer.
These two vulnerabilities appeared on Zoom version 4.6.10 and earlier. Receiving a warning from Cisco Talos researchers, Zoom has now released version 4.6.12 for Windows, macOS and Linux to fix the aforementioned vulnerabilities.
You should read it
- Zoom has been sued by shareholders for allegedly hiding security holes
- How to install Zoom on a Mac
- 6 Steps to Secure Meetings on Zoom
- How to secure your Zoom account, avoid leaking personal data
- Is it safe to use Zoom? Things to know
- Zoom iOS application was detected sending data to Facebook
- Internet Explorer has vulnerabilities, unused users are still hacked
- Zoombombing: What it is and how to prevent it in Zoom video chat
- Warning of dangerous vulnerabilities on WinRAR, users should uninstall or upgrade to a new version
- Lying about having 300 million users, Zoom continued to shoot himself in the leg
- AMD patched a series of security holes in the graphics driver for Windows 10
- Singapore banned online learning with the Zoom application after a security incident
Maybe you are interested
How to Zoom in on Text When Typing on iPhone
4 methods to zoom in and out on Mac
How to change Chrome's default zoom settings
Fix Zoom mouse scroll error in Excel in detail step by step (NEW)
Mic Zoom has an exclamation mark error, learn how to fix it
iPhone camera cannot zoom - Detailed error correction instructions