Several developers at Zoom have flagged some significant security gaps in the popular web conference software, categorizing them as high risk. These vulnerabilities could have enabled attackers to add malicious code to users or to increase their rights in the system, granting them greater access to sensitive information. The company has readied updates to amend these leaks.
The most severe vulnerability surrounded saving a local recording to an SMB share, with attackers exploiting it to proffer their executable files on the victims, according to the CVE-2023-22885 analysis, which carried a ‘high’ risk level. The Windows installer in the Zoom client for IT admins allowed hackers to augment their privileges, thereby gaining system privileges in a chain of attacks, according to CVE-2023-22883, which also carried a ‘high’ risk level. A comparable vulnerability existed in the Mac installer of the Zoom client, where attackers could access root privileges via CVE-2023-22884, which carried a ‘medium’ risk level.
A recent update to the Microsoft Edge WebView2 component has made the Zoom clients, Zoom Rooms, and Zoom VDI vulnerable to an information leak on Windows. Additionally, attackers could exploit a vulnerability via manipulated UDP packets to bring down the Zoom clients through errors in the STUN parser during processing, resulting in a possible denial of service.
The Zoom vulnerabilities were present in the Android, iOS, Linux, macOS, and Windows versions that existed before version 5.13.5, Zoom Rooms for Android, iOS, Linux, macOS, and Windows before version 5.13.5, Zoom VDI Windows Meeting clients before the current version 5.13.10, Zoom Client for Meetings for IT Admin Windows installers before 5.13.5, and Zoom Client for Meetings for IT Admin macOS Installers before version 5.13.5.
Zoom has published the security notices for all vulnerabilities, listed specifically the affected versions, and offered downloads of the updated software on its website. The company stated that users can check for updates by clicking on the software function, which would relay the status to the system. Zoom had also released software updates earlier this year, in January, to resolve several issues.