The latest serious Zoom vulnerabilities identified by cyber threat intelligence organisation Cisco Talos require customers to download the latest software with all the currently security updates.
Cisco Talos discovered a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. It said on its blog: “An exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages including shared code snippets. A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability.”
We asked Zoom for clarification on whether the bug is fixed and a spokesperson told Legal IT Insider: “Zoom addressed these issues and other internally-found bugs in our April 21st release. Zoom’s fixes included both a server-side and client-side patch. Customers can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.”
Cisco Talos believes it requires a fix on the client-side to completely resolve the security risk.