A little more than a week after its self-imposed feature freeze ended, Zoom is working on a patch for a zero-day remote code execution vulnerability in Zoom Client for Windows that could affect versions of Microsoft Windows 7 and earlier.
In the mean time, researchers at ACROS Security developed and released a micropatch that “removes the vulnerability in four different places in the code” and was “ported from the latest version of Zoom Client for Windows (5.1.2) to previous five versions back to 5.0.3 released on May 17, 2020,” according to a 0patch blog post.
Noting that “Zoom Client features a fairly persistent auto-update functionality that is likely to keep home users updated unless they really don't want to be,” the researchers wrote that “enterprise admins often like to keep control of updates and may stay a couple of versions behind, especially if no security bugs were fixed in the latest versions (which is currently the case).”
When 0patch is enabled, “the vulnerability is removed from the running Zoom.exe process” so malicious code isn’t executed when a user clicks on the "Start Video" button.
“What makes this case worse is that the OS (Windows 7) involved in this latest vulnerability is one that’s no longer supported by Microsoft,” Timothy Chiu, vice president of marketing at K2 Cyber Security. “Unsupported code has the added problem that it’s unlikely a fix will be forthcoming. In this case, Zoom may be able to fix their code, but it’s not likely any help will come from Microsoft.”
The ACROS team was alerted to the vulnerability by a security researcher who discovered it but wishes to remain anonymous.