• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message

You are here: Home / General Cyber Security News / New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message
May 25, 2022

Zoom hacking

Popular video conferencing company Zoom has settled as a lot of as 4 security vulnerabilities, which could be exploited to compromise yet another person more than chat by sending specifically crafted Extensible Messaging and Existence Protocol (XMPP) messages and execute malicious code.

Tracked from CVE-2022-22784 as a result of CVE-2022-22787, the issues range in between 5.9 and 8.1 in severity. Ivan Fratric of Google Undertaking Zero has been credited with discovering and reporting all the 4 flaws in February 2022.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


CyberSecurity

The listing of bugs is as follows –

  • CVE-2022-22784 (CVSS rating: 8.1) – Poor XML Parsing in Zoom Client for Meetings
  • CVE-2022-22785 (CVSS rating: 5.9) – Improperly constrained session cookies in Zoom Customer for Conferences
  • CVE-2022-22786 (CVSS score: 7.5) – Update package downgrade in Zoom Consumer for Conferences for Windows
  • CVE-2022-22787 (CVSS rating: 5.9) – Inadequate hostname validation in the course of server change in Zoom Client for Meetings

With Zoom’s chat performance created on prime of the XMPP normal, thriving exploitation of the issues could enable an attacker to power a vulnerable consumer to masquerade a Zoom consumer, join to a destructive server, and even down load a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.

Fratric dubbed the zero-click on attack sequence as a scenario of “XMPP Stanza Smuggling,” including “one particular person could possibly be equipped to spoof messages as if coming from another consumer” and that “an attacker can send out control messages which will be accepted as if coming from the server.”

At its main, the issues choose edge of parsing inconsistencies in between XML parsers in Zoom’s shopper and server to “smuggle” arbitrary XMPP stanzas — a simple unit of interaction in XMPP — to the sufferer client.

CyberSecurity

Specifically, the exploit chain can be weaponized to hijack the software update system and make the consumer connect to a man-in-the-center server that serves up an aged, fewer secure variation of the Zoom shopper.

Even though the downgrade attack singles out the Windows variation of the application, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impression Android, iOS, Linux, macOS, and Windows.

The patches arrive fewer than a month soon after Zoom tackled two large-severity flaws (CVE-2022-22782 and CVE-2022-22783) that could lead to neighborhood privilege escalation and publicity of memory content in its on-premise Meeting solutions. Also preset was one more instance of a downgrade attack (CVE-2022-22781) in Zoom’s macOS app.

Consumers of the software are recommended to update to the newest edition (5.10.) to mitigate any opportunity threats arising out of active exploitation of the flaws.

Uncovered this report appealing? Comply with THN on Facebook, Twitter  and LinkedIn to go through additional distinctive content we article.


Some components of this write-up are sourced from:
thehackernews.com

Previous Post: «Cyber Security News Ransomware Attacks Increasing at “Alarming” Rate

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message
  • Ransomware Attacks Increasing at “Alarming” Rate
  • Senate Report: US Government Lacks Comprehensive Data on Ransomware
  • Popular PyPI Package ‘ctx’ and PHP Library ‘phpass’ Hijacked to Steal AWS Keys
  • Fronton IOT Botnet Packs Disinformation Punch
  • SIM-based Authentication Aims to Transform Device Binding Security to End Phishing
  • New Chaos Ransomware Builder Variant “Yashma” Discovered in the Wild
  • Open source packages with millions of installs hacked to harvest AWS credentials
  • DOE ‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌funds‌ ‌development of Qunnect’s Quantum Repeater
  • Cabinet Office Reports 800 Missing Electronic Devices in Three Years

Copyright © TheCyberSecurity.News, All Rights Reserved.