Google Project Zero researchers have discovered numerous vulnerabilities in the Zoom app that could expose users to attacks. Zoom fixed flaws following bug reports.
Zoom application vulnerabilities
In a recent advisory, Zoom mentioned a few recently patched vulnerabilities affecting the privacy of app users. These vulnerabilities first caught the attention of Natalie Silvanovich of Google Project Zero.
The first of these bugs is a high severity buffer overflow vulnerability (CVE-2021-34423). The bug received a CVSS score of 7.2. This has affected Zoom clients for all major operating systems (for desktops and other devices) and other on-premises applications.
As described in the notice,
A buffer overflow vulnerability has been discovered … This can potentially allow a malicious actor to crash the service or application, or exploit this vulnerability to execute arbitrary code.
The second vulnerability, CVE-2021-34424, was a medium-severity bug that received a CVSS score of 5.3. This vulnerability also affected a range of Zoom clients and on-premises applications. Describing this bug, the advisory states:
A vulnerability was discovered … which potentially allowed the process memory state to be exposed. This problem could be used to potentially gain insight into arbitrary areas of product memory.
Following the researcher’s report, Zoom fixed both vulnerabilities with the latest versions. Users can view the list of affected products shared in the Zoom notice to see the security status of their applications. While it is ideal to make sure to always update the respective Zoom apps to the latest versions to receive the fixes anyway.
Earlier this month, Zoom also fixed numerous bugs in its on-premises applications that put the security of Meetings at risk.
While users may need to update their apps, for now manually, Zoom also announced a big change this month. With the latest Zoom clients for Windows and Mac, users can turn on automatic updates for the app. Unfortunately, however, this feature is still missing from Linux users.
Let us know your thoughts in the comments.