"Messages Sent Through Zoom Can Expose People to Cyberattack"

A researcher from Google Project Zero discovered four vulnerabilities affecting Zoom.  The four vulnerabilities range from 5.9 to 8.1 in severity.  The researcher noted that the vulnerabilities could be exploited to compromise users over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and executing malicious code.  The bugs include CVE-2022-22784 (CVSS score: 8.1) improper XML parsing in Zoom Client for Meetings; CVE-2022-22785 (CVSS score: 5.9) improperly constrained session cookies in Zoom Client for Meetings; CVE-2022-22786 (CVSS score: 7.5) update package downgrade in Zoom Client for Meetings for Windows; CVE-2022-22787 (CVSS score: 5.9) insufficient hostname validation during server switch in Zoom Client for Meetings.  The researcher stated that the issue at the core of these vulnerabilities is the ability of a cyberattacker to find inconsistencies between XML parsers in the software’s client and server.  When this happens, XMPP stanzas can be sent to the victim of the attack.  This allows hackers to take advantage of software updates, weaponizing the process and delivering an outdated, less secure version of Zoom to prospective targets through a malicious server.  The researcher stated that Microsoft systems with Zoom are the most susceptible to these vulnerabilities.  However, Android, iOS, macOS, and Linux are all vulnerable to CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787.  Zoom advises downloading the latest version of the app (5.10.0).

Infosecurity reports: "Messages Sent Through Zoom Can Expose People to Cyberattack"