Zoom is working on the fix for a “zero-day” flaw disclosed on Windows

Zoom will deploy end-to-end encryption, but not for everyone Cybersecurity

Zoom videoconferencing software is working to fix a zero-day vulnerability that was revealed online earlier today in a blog post by cybersecurity company Acros Security. The security firm said that zero-day has an impact on the Windows client of Zoom, but only when the clients are running on older versions of the Windows operating system, such as Windows 7 and Windows Server 2008 R2, and earlier.

Zoom clients running Windows 8 or Windows 10 are not affected, according to Mitja Kolsek, general manager of Acros Security.

“The vulnerability allows a remote attacker to execute an arbitrary code on the victim’s computer where the Zoom client for Windows is installed (any version currently supported) by causing the user to perform a typical action such as opening of a document file, “said Mitja Kolsek. “No security warning is shown to the user during an attack,” he added.

No timetable given

Mitja Kolsek clarified that Acros did not discover the vulnerability on his own, but rather received it from a security researcher who wanted to keep his identity a secret. Acros reported Zoom zero-day earlier today and released an update to their 0-patch client to prevent attacks for their own clients until Zoom releases an official fix.

Acros hasn’t released any technical details about the zero-day, but in a statement from a Zoom spokesperson received by ZDNet, the company confirmed the vulnerability and accuracy of the report. “Zoom takes all reports of potential security vulnerabilities seriously. This morning we received a report on an issue affecting users of Windows 7 and above. We have confirmed this issue and are working on a fix to resolve it quickly. “

The Zoom spokesperson was unable to commit to a patch availability schedule due to the unpredictability of developing a full patch; however, a fix is ​​currently under development.

Features freeze

After the discovery and disclosure of several security issues with the Zoom service, the 1er In April, the company halted development of all new features to focus only on security and privacy enhancements and bug fixes. This feature freeze period during which the company focused on improving application security ended on 1er last July.

A few days earlier, on June 24, Zoom had also hired a new Information Security Officer (CISO) in the person of Jason Lee, who was previously the senior vice president of security operations at Salesforce.

During the feature freeze period, Zoom also hired Luta Security to help the company set up a professional bugs bonus program. Zoom and Luta Security ended their collaboration the day Jason Jason was hired.

Source: ZDNet.com

Source: www.zdnet.fr

Rate article