Zoom Patched Numerous Bugs With Latest Update Zoom has recently rolled out its version 5.10.0 across multiple clients, patching different vulnerabilities.
According to the release notes from Zoom, the service has addressed four different security bugs with the latest update.
One of these bugs includes a high-severity remote code execution vulnerability. This vulnerability, CVE-2022-22784 (CVSS 8.1), existed due to improper XML parsing in XMPP messages. Regarding the impact of this vulnerability, the bug description reads,
“This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving user’s client perform a variety of actions. This issue could be used in a more sophisticated attack to forge XMPP messages from the server.”
This severe bug affected Zoom Clients for Windows, macOS, Android, and iOS alike.
The other high-severity flaw patched with the latest update affects Zoom Windows clients. Specifically, the bug, CVE-2022-22786 (CVSS 7.5), existed due to poor checking for the latest update during installation. When exploited, this vulnerability could make a user downgrade the software to an earlier version. While that sounds harmless, it actually isn’t because such downgrades would also mean a loss of security fixes for known bugs. For attackers, such vulnerabilities are always lucrative to target users.
The other two vulnerabilities fixed with Zoom version 5.10.0 include medium-severity bugs, CVE-2022-22787 and CVE-2022-22785, in Zoom Client for Meetings for desktop and mobile devices.
Zoom has acknowledged Ivan Fratric of Google Project Zero for reporting all four vulnerabilities. Fratric has also elaborated on these vulnerabilities in separate bug reports, such as the one for the high-severity RCE flaw.
While the updates would arrive automatically to each device, users should also double-check for any updates manually to quickly receive the patches.