Zoom is scrambling to fix another zero-day vulnerability in its Windows client, this time potentially leading to arbitrary remote code execution.
Acros Security CEO, Mitja Kolsek, revealed the news in a blog post, claiming that the researcher who found the bug didn’t disclose to the vendor or a third-party broker, “but would not object to us reporting it to Zoom.”
“We analyzed the issue and determined it to be only exploitable on Windows 7 and older Windows systems. While Microsoft's official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life with Microsoft's Extended Security Updates or with 0patch,” he explained.
“We then documented the issue along with several attack scenarios, and reported it to Zoom earlier today along with a working proof of concept and recommendations for fixing. Should a bug bounty be awarded by Zoom, it shall be waived in favor of a charity of researcher's choice.”
Acros Security’s 0patch offering provides “micropatches” to running processes without the need for administrators to restart these processes.
The firm has decided to provide these patches for free to anyone that downloads the 0patch Agent. These will automatically become obsolete as soon as Zoom releases an update to fix the vulnerability, it said.
There are no technical details of the zero-day available at present, however Zoom sent a brief statement to Infosecurity.
“Zoom takes all reports of potential security vulnerabilities seriously," it noted. "Yesterday morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it.”
Zoom has been on a hiring spree of late in a bid to ramp up its security credentials. Most recently it announced Salesforce SVP of security operations, Jason Lee, as its new CISO.
The video conferencing firm has also signed-up former Facebook CSO Alex Stamos as an advisor, Luta Security as a new partner to help rebuild its bug bounty program, John Hopkins cryptography expert Matthew Green, former Google privacy technology lead, Lea Kissner, and cybersecurity consultancy NCC Group.