Zoom is reportedly working on a patch for a zero-day vulnerability that was disclosed Thursday by a cybersecurity firm.
The vulnerability, detected by ACROS Security, affects users running Zoom Client for Windows on older versions of Windows, specifically Windows 7 and older.
Microsoft ended support for Windows 7 in January, but there are still many users at home and in the office running the old operating system with Microsoft’s extended security patch program.
In a blog, ACROS disclosed how a remote attacker could execute arbitrary code on a victim’s computer where Zoom Client for Windows is installed.
According to ACROS, the attacker does this by getting the user to perform some type of typical action like opening a document file.
The vulnerability was reported to Zoom Thursday along with a working proof of concept and recommendations for fixing it.
This video below by ACROS Security details how the attack can happen and how it can be prevented.
According to ZDNet, Zoom confirmed the vulnerability and said it was working on a patch.
“Zoom takes all reports of potential security vulnerabilities seriously,” Zoom told ZDNet. “This morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it.”
Ironically enough, the zero-day disclosure comes just days after Zoom ended its 90-day non-security feature freeze. The three-month security focus — which ended on July 1 — was the company’s response to security and privacy issues with the video application that came as a result of increased usage due to coronavirus-induced remote work.
During those three months, Zoom took a litany of steps to restore user faith in the platform after some institutions banned its use for lax security that allowed unauthorized users to join meetings. Zoom’s improvements included a new security-driven user interface, a number of key security hires, new secure meeting defaults, data control and more.