Latest Zoom vulnerabilities require customer updates to fix
The latest serious Zoom vulnerabilities identified by cyber threat intelligence organisation Cisco Talos require customers to download the latest software with all the currently security updates.
Cisco Talos discovered a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. It said on its blog: “An exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages including shared code snippets. A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability.”
We asked Zoom for clarification on whether the bug is fixed and a spokesperson told Legal IT Insider: “Zoom addressed these issues and other internally-found bugs in our April 21st release. Zoom’s fixes included both a server-side and client-side patch. Customers can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.”
Cisco Talos believes it requires a fix on the client-side to completely resolve the security risk.