time to cope with your schooling, business, or social
engagement—make sure you are running the latest version of the
widely popular video conferencing software on your Windows, macOS,
or Linux computers.
No, it’s not about the arrival of the most-awaited “real”
end-to-end encryption feature, which apparently, according to the
latest news, would now only be available to paid
users[1]. Instead, this latest
warning is about two newly discovered critical vulnerabilities.
Cybersecurity researchers from Cisco Talos unveiled today that
it discovered two critical vulnerabilities in the Zoom
software[2] that could have allowed
attackers to hack into the systems of group chat participants or an
individual recipient remotely.
Both flaws in question are path traversal vulnerabilities that
can be exploited to write or plant arbitrary files on the systems
running vulnerable versions of the video conferencing software to
execute malicious code.
According to the researchers, successful exploitation of both flaws
requires no or very little interaction from targeted chat
participants and can be executed just by sending specially crafted
messages through the chat feature to an individual or a group.
The first security vulnerability (CVE-2020-6109)
resided in the way Zoom leverages GIPHY service, recently bought by
Facebook, to let its users search and exchange animated GIFs while
chatting.
Researchers find that the Zoom application did not check whether
a shared GIF is loading from Giphy service or not, allowing an
attacker to embed GIFs from a third-party attacker-controlled
server, which zoom by design cache/store on the recipients’ system
in a specific folder associated with the application.
Besides that, since the application was also not sanitizing the
filenames, it could have allowed attackers to achieve directory
traversal, tricking the application into saving malicious files
disguised as GIFs to any location on the victim’s system, for
example, the startup folder.
The second remote code execution vulnerability
(CVE-2020-6110) resided in the way vulnerable versions of
the Zoom application process code snippets shared through the
chat.
“Zoom’s chat functionality is built on top of XMPP standard with
additional extensions to support the rich user experience. One of
those extensions supports a feature of including source code
snippets that have full syntax highlighting support. The feature to
send code snippets requires the installation of an additional
plugin but receiving them does not. This feature is implemented as
an extension of file sharing support,” the researchers said.
[3]
This feature creates a zip archive of the shared code snippet
before sending and then automatically unzips it on the recipient’s
system.
According to the researchers, Zoom’s zip file extraction feature
does not validate the contents of the zip file before extracting
it, allowing the attacker to plant arbitrary binaries on targeted
computers.
“Additionally, a partial path traversal issue allows the
specially crafted zip file to write files outside the intended
randomly generated directory,” the researchers said.
Cisco Talos researchers tested both flaws on version 4.6.10 of
the Zoom client application and responsibly reported it to the
company.
Released just last month, Zoom patched both critical
vulnerabilities with the release of version 4.6.12 of its video
conferencing software for Windows, macOS, or Linux
computers.
References
- ^
available to paid users
(www.bloomberg.com) - ^
Zoom software
(thehackernews.com) - ^
researchers said
(blog.talosintelligence.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/qgszbhEPRd0/zoom-video-software-hacking.html