Multiple Vulnerabilities Spotted In Zoom Video Conferencing App

Researchers from Google Project Zero have discovered numerous vulnerabilities in the Zoom app that could expose users to attacks. Zoom patched the flaws following the bug reports.

Zoom App Vulnerabilities

In a recent advisory, Zoom has mentioned a couple of newly fixed vulnerabilities affecting app users’ privacy. These vulnerabilities first caught the attention of Natalie Silvanovich of Google Project Zero.

The first of these bugs is a high-severity buffer overflow vulnerability (CVE-2021-34423). The bug received a CVSS score of 7.2. It affected Zoom clients for all major operating systems (for both desktops and other devices) and other on-premise apps.

As described in the advisory,

A buffer overflow vulnerability was discovered… This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.

The second vulnerability, CVE-2021-34424, was a medium severity bug that received a CVSS score of 5.3. This vulnerability also affected a range of Zoom Clients and on-premise apps. Describing this bug, the advisory reads,

A vulnerability was discovered… which potentially allowed for the exposure of the state of process memory. This issue could be used to potentially gain insight into arbitrary areas of the product’s memory.

Following the report from the researcher, Zoom patched both the vulnerabilities with the latest releases. Users can take a look at the list of affected products shared in Zoom’s advisory to know about the security status of their apps. Whereas it’s ideal to ensure still updating the respective Zoom apps to the latest releases to receive any patches anyway.

Earlier this month, Zoom also fixed numerous bugs in its on-premise apps that risked Meetings’ security.

While users might have to update their apps, for now manually, Zoom has also announced a significant change this month. With the latest Zoom clients for Windows and Mac, users can enable automatic updates for the app. Unfortunately, however, this feature still misses out on Linux users.

Let us know your thoughts in the comments.

Related posts

NachoVPN Attack Risks Corporate VPN Clients

Sweet Security Introduces Evolutionary Leap in Cloud Detection and Response, Releasing First Unified Detection & Response Platform

Anti-Spam WordPress Plugin Vulnerabilities Risked 200K+ Websites