A Zero-Day Vulnerability in Zoom Triggers Remote Code Execution Without User Input

zoom vulnerability

The researchers who found the bug have been paid a total of $200,000 for their efforts.

Researchers have discovered a zero-day vulnerability in Zoom that can be exploited to initiate remote code execution (RCE) attacks.

The Zero Day Initiative’s Pwn2Own competition pits white-hat cybersecurity experts and teams against one another in the detection of vulnerabilities in common applications and services.

There were 23 entrants in the most recent competition, with web browsers, virtualization applications, servers, enterprise communication, and local escalation of privilege among the categories.

The financial incentives for good entrants can be substantial — in this case, Daan Keuper and Thijs Alkemade won $200,000 for their Zoom discovery.

Computest researchers demonstrated a three-bug attack chain that resulted in an RCE on a target machine without requiring any user interaction.

The technical specifics of the vulnerability are being held under wraps because Zoom has not yet had time to fix the crucial security flaw. However, an animation of the attack in action shows how, after exploiting the vulnerability, an attacker was able to open the calculator program on a computer running Zoom.

The assault works on both Windows and Mac versions of Zoom, according to Malwarebytes, although it has not yet been tested on iOS or Android. The videoconferencing software’s browser edition is unaffected.

Zoom thanked the Computest researchers and said it was “working to mitigate this issue with respect to Zoom Chat.” in a statement to Tom’s Guide. Zoom Video Webinars and in-session Zoom Meetings are unaffected.

“The attack must also originate from an accepted external contact or be a part of the target’s same organizational account,” Zoom added. “As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust.”

Vendors have a 90-day window to fix the security vulnerabilities discovered, as is common procedure in vulnerability disclosure programs. Users may simply have to wait for a fix to be released, but if they are concerned, they can use the browser version in the meantime.

“This event, and the procedures and protocols that surround it, demonstrate very nicely how white-hat hackers work, and what responsible disclosure means,” Malwarebytes says. “Keep the details to yourself until protection in the form of a patch is readily available for everyone involved (with the understanding that vendors will do their part and produce a patch quickly).”

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.