One of the flaws allowed for remote code execution, with Zoom users urged to patch immediately.
Zoom has patched several security vulnerabilities, including a high-severity one that could allow attackers to remotely execute code on the target endpoint (opens in new tab). The bug, first discovered by Google Project Zero security researcher Ivan Fratric, can be exploited without any interaction on the victim’s side.
“The only ability an attacker needs is to be able to send messages to the victim over Zoom (opens in new tab) chat over XMPP protocol“, Fratric said in his explanation of the flaw. Tracked as CVE-2022-22786, the flaw revolves around the fact that Zoom’s server, and that of the client, use different XML parsing libraries, and as a result, XMPP messages get parsed differently by the two.
