A pair of security researchers have uncovered many 0day vulnerabilities in Zoom in recent days that would allow hackers to take over someone's computer, even if the victim does not click.
Zoom told Gizmodo that a server side update was released on Friday to address vulnerabilities and that users do not need to do anything.
The vulnerabilities were identified by Dutch researchers Daan Keuper and Thijs Alkemade from Computest Security, a security company, as part of the competition Pwn2Own 2021 organized by the Zero Day Initiative. Although not many details about these vulnerabilities are known due to competition policy, the researchers actually used a three-tier error in the desktop Zoom application to perform remote code execution on the destination system.
The user does not have to click to succeed in the attack. You can see the error below.
- Zero Day Initiative (@thezdi) April 7, 2021
In one statement on the victory of Keuper and Alkemade, Computest Security reported that the researchers were able to take almost all of the targeted systems, performing actions such as turning on the camera, turning on the microphone, reading emails, checking the screen and taking a history of the program browsing.
In case you forgot, the Zoom was not synonymous with security last year. There were Zoom Bombings that took advantage of Zoom's then loose control measures to drop porn clips and Nazi slogans in online sessions.