One of the vulnerabilities patched with this update allowed remote code execution. Sending a specially crafted message enabled a malicious actor to trick Zoom users to connect to a middle server without them noticing any anomaly. The attacker could then launch a more sophisticated attack. They could spoof messages as if incoming from another user. Perhaps they could control all messages coming from the server as well as the client. Identified by Common Vulnerabilities and Exposures (CVE) number CVE-2022-22784, this issue was reported by Google Project Zero security researcher Ivan Fratric. “User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Fratric said (via). With a Common Vulnerability Scoring System (CVSS) score of 8.1, this is quite a serious issue that you’d want to be safe from as early as possible. It affected Zoom apps for Android, iOS, Linux, macOS, and Windows. The latest update (version 5.10.0) rolled out last week patches it. We have provided the Google Play Store link to the new version at the end of this article.
Zoom version 5.10.0 also patches a few more security issues
The latest Zoom update also patches another high-severity vulnerability discovered by Ivan Fratric found. Identified by CVE number CVE-2022-22786, this bug prevented the Zoom client from properly checking the build version of an installation package during the update process. As such, a remote attacker could trick a user into downgrading their Zoom app to a less secure version. This vulnerability had a CVSS score of 7.5 and only affected the Windows Zoom client. Ivan Fratric also reported a medium-severity vulnerability on Zoom. It allowed spoofing of a user by sending their Zoom-scoped session cookies to a non-Zoom domain. This bug affected the videoconferencing app’s Android, iOS, Linux, macOS, and Windows clients. Tracked as CVE-2022-22785, Zoom patched the issue with version 5.10.0. Last but not least, the latest update for Zoom fixes another medium-severity vulnerability that allowed attackers to trick users during a server switch request. Unsuspecting users could end up connecting to a malicious server instead of Zoom. This opens up the possibility for a more severe attack. This issue was assigned the CVE number CVE-2022-22787. Zoom version 5.10.0 patches it o Android, iOS, Linux, macOS, and Windows. You can click the button below to download the latest version of the Zoom app for your Android smartphone from the Google Play Store. DOWNLOAD ZOOM