Security researchers have uncovered a new vulnerability in Zoom that can be exploited to hack Windows 7 machines running the video conferencing software.
The flaw can pave the way for remote code execution, enabling an attacker to download and install malware onto a victim’s Windows 7 PC, according to the Slovenian firm Arcos Security. On Thursday, the company disclosed the previously unknown vulnerability on a tip from an unnamed security researcher.
Arcos Security is withholding details of the flaw to prevent malicious hackers from exploiting it. However, the company says the vulnerability affects the Zoom client for Windows. Presumably, the hacker needs to start a video meeting with the victim, and then trick the person into performing a certain action, such as opening a document file; the attack will then occur without any warning to the user.
“We analyzed the issue and determined it to be only exploitable on Windows 7 and older Windows systems. While Microsoft’s official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life,” Arcos Security wrote in a blog post. (Indeed, Windows 7 still has a 23 percent share of the desktop operating system market.)
Arcos Security reported the vulnerability to Zoom today. “We have confirmed this issue and are currently working on a patch to quickly resolve it,” the video conferencing provider said.
Why Arcos Security decided to disclose the flaw today—before Zoom had a chance to patch it—wasn’t fully explained. However, the company indicated it was important to notify the public about the potential danger.
“We did not disclose vulnerability details that would allow attackers to exploit it—we only disclosed its presence and our micropatch,” Arcos Security CEO Mitja Kolsek told PCMag in an email. “Per our long-standing policy, we wouldn’t even publish details after 90 days if these details allowed attackers to attack users.”
Arcos Security’s “micropatch” for the flaw is free. But it requires you to download the company’s 0patch software to install it. Kolsek added that there’s no evidence that hackers are currently exploiting the flaw.
More Stories
New Video Game Controller For Your Thought
The Oracle 9i OCA and OCP Certifications Are Being Retired – What Does That Mean to Me?
Myth Busted: Cell Phone Tower Radiation Does Not Cause Harm