Four new flaws in Zoom allowed attackers to hack into you by simply sending you a message.
The popular one service Zoom video conference has already resolved four issues security features, which could be used to hack into another user via chat by sending specially crafted Extensible Messaging and Presence Protocol messages (XMPP) and executing malicious code.
A series of four bugs, from CVE-2022-22784 to CVE-2022-22787, indicate a hazard rating between 5,9 and 8,1. All four were discovered in February 2022 by Ivan Fratric of Google Project Zero.
The list of errors is as follows:
CVE-2022-22784 (CVSS score: 8,1) – Incorrect XML parsing in Zoom Client for Meetings
CVE-2022-22785 (CVSS rating: 5,9) - Session cookies with inappropriate restriction on Zoom Client for Meetings
CVE-2022-22786 (CVSS rating: 7,5) - Zoom Client for Meetings for Windows package downgrade update
CVE-2022-22787 (CVSS rating: 5,9) - Insufficient validation of hostname when switching server in Zoom Client for Meetings
Successful exploitation of these issues could allow an attacker to force the Zoom client program to impersonate a Zoom user, connect to a malicious server, and even download a malicious information, resulting in arbitrary code execution.
Fratric called the attack "a case in point."XMPP Stanza Smuggling, Adding that "a user may be able to falsify messages as if they were coming from another user" and that "an attacker may send control messages that will be accepted because they appear to be coming from the server".
CVE-2022-22786 affects Windows, while CVE-2022-22784, CVE-2022-22785 and CVE-2022-22787 affect Android, iOS, Linux, macOS and Windows.
Users of the application are advised to update to the latest version (5.10.0) to mitigate any potential threats arising from the active exploitation of the defects.
