Four new flaws in Zoom allowed attackers to hack into you by simply sending you a message.
The popular Zoom video conferencing service has already resolved four security issues that could be used to intrude on another user by chatting by sending specially formatted Extensible Messaging and Presence Protocol messages (XMPP) and performing malicious code.
A series of four bugs, from CVE-2022-22784 to CVE-2022-22787, indicate a hazard rating between 5,9 and 8,1. All four were discovered in February 2022 by Ivan Fratric of Google Project Zero.
The list of errors is as follows:
CVE-2022-22784 (CVSS score: 8,1) – Incorrect analysis XML in Zoom Client for Meetings
CVE-2022-22785 (CVSS rating: 5,9) - Session cookies with inappropriate restriction on Zoom Client for Meetings
CVE-2022-22786 (CVSS rating: 7,5) - Zoom Client for Meetings for Windows package downgrade update
CVE-2022-22787 (CVSS rating: 5,9) - Insufficient validation of hostname when switching server in Zoom Client for Meetings
Successfully exploiting these issues could allow an attacker to force the Zoom client program to disguise itself as a Zoom user, log on to a malicious server, and even download a malicious update, resulting in arbitrary code execution.
Fratric called the attack "a case in point."XMPP Stanza Smuggling, Adding that "a user may be able to falsify messages as if they were coming from another user" and that "an attacker may send control messages that will be accepted because they appear to be coming from the server".
Το CVE-2022-22786 επηρεάζει τα Windows, ενώ τα CVE-2022-22784, CVE-2022-22785 και CVE-2022-22787 επηρεάζουν τα Android, iOS, Linux, MacOS and Windows.
Recommended to users of the application to update to the latest version (5.10.0) to mitigate any potential threats resulting from active exploitation of the flaws.