The Register reports that fixes have been issued by Zoom for a medium-severity security flaw, tracked as CVE-2022-22787, which could be abused to facilitate malicious code execution.
Attackers could exploit the vulnerability, discovered and reported by Google Project Zero bug hunter Ivan Fratric, to conduct "XMPP stanza smuggling" attacks that deliver malware and spyware without the need for user interaction.
"The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol," said Fractric, who added that XML parsing inconsistencies in the Zoom client and server software are being leveraged to allow malicious XMPP stanza smuggling to the victim client.
Abusing the flaw through a man-in-the-middle server also showed numerous /clusterswitch endpoint data.
"Since the attacker is already in the man-in-the-middle position, they can replace any of the domains with their own, acting as a reverse proxy and intercepting communications," Fractric added.