July 9, 2020 Information Security Specialists from ACROS Security spoke about the zero-day vulnerability in the Zoom client for older versions of Windows. Using this vulnerability, an attacker could remotely run arbitrary code on a PC with Windows 7 (with all the latest security updates) and Windows Server 2008 R2, as well as older versions of this OS. Experts have confirmed that this vulnerability cannot be used in versions of Windows 8 and Windows 10.
The following software service clients are vulnerable: Zoom Client for Windows version 5.0.3 and later to version 5.1.2. After its launch in 2009, Windows 7 is still popular among millions of users, for example, on January 1, 2020, Windows 7 was installed on 400 million computers. According to StatCounter, 19% of Internet users are still working on Windows 7, and their share continues to decline. Windows 10 continues to gain popularity with a 73% share of users.
ACROS information security specialists did not disclose technical details about the vulnerability and the name of the developer who discovered it and passed them information. They also promptly handed the Zoom developers a full report on the detected problem. Zoom representatives confirmed the receipt of this information and said that they are now working on fixing this vulnerability and are preparing to release the patch necessary to fix it. When did the patch against this vulnerability come out, Zoom developers did not specify.
A micropatch has been published on the 0patch portal to address this vulnerability, which is already included in the latest version of the 0patch Agent client.
An example of using a discovered zero-day vulnerability, and then its blocking by the 0patch client.
In this example, when the 0patch Agent is turned off (or absent), clicking the “Enable Video” button in the Zoom client activates the vulnerability and leads to the display of the “HACKED” dialog box (any arbitrary code can be executed instead). When 0patch is enabled, access to the vulnerability activation mechanism from the running Zoom.exe process is blocked, and clicking the “Enable Video” button will not allow arbitrary code to be launched on the PC. Information security experts explained that in order to avoid disclosing too much information in this video, some previous user actions are not displayed in the Zoom Client user interface.
Earlier on January 14, 2020, the period of extended support for the Windows 7 operating system ended. The computers under its control will continue to work, but the manufacturer of the operating system does not guarantee their safety. Microsoft advises regular users to buy a new computer or laptop with Windows 10 instead of their legacy Windows 7 device.