• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

Zoom Patches ‘Zero-Click’ RCE Bug

You are here: Home / Latest Cyber Security Vulnerabilities / Zoom Patches ‘Zero-Click’ RCE Bug
May 25, 2022

The Google Task Zero researcher found a bug in XML parsing on the Zoom customer and server.

Zoom patched a medium-severity flaw, advising Windows, macOS, iOS and Android end users to update their shopper program to version 5.10..

The Google Project Zero security researcher Ivan Fratric mentioned in a report that an attacker can exploit a victim’s equipment about a zoom chat. The bug, tracked as CVE-2022-22787, has a CVSS severity score of 5.9.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


“User interaction is not required for a productive attack. The only means an attacker needs is to be in a position to send out messages to the sufferer in excess of Zoom chat above XMPP protocol,” Ivan described.

So called zero-click on attacks do not demand buyers get any action and are specifically strong specified even the most tech-savvy of end users can fall prey to them.

Infosec Insiders Newsletter

XMPP stands for Extensible Messaging Existence Protocol and is applied to deliver XML components called stanzas around a stream connection to trade messages and existence details in authentic-time. This messaging protocol is used by Zoom for its chat performance.

In a security bulletin printed by Zoom, the CVE-2022-22786 (CVSS rating 7.5) influences the Windows users, even though the other CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impacted Zoom consumer variations in advance of 5.10. managing on Android, iOS, Linux, macOS, and Windows techniques.

Working of Bug  

The original vulnerability described by Ivan as  “XMPP stanza smuggling” abuses the parsing inconsistencies between XML parser in Zoom customer and server computer software to “smuggle” arbitrary XMPP stanzas to the sufferer machine.

An attacker sending a specially crafted manage stanza can pressure the target client to connect with a malicious server therefore primary to a assortment of attacks from spoofing messages to sending regulate messages.

Ivan famous that “the most impactful vector” in XMPP stanza smuggling vulnerability is an exploit of “ClusterSwitch task in the Zoom shopper, with an attacker-managed “web domain” as a parameter”.


Some components of this report are sourced from:
threatpost.com

Previous Post: «Cyber Security News Messages Sent Through Zoom Can Expose People to Cyber-Attack

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Zoom Patches ‘Zero-Click’ RCE Bug
  • Messages Sent Through Zoom Can Expose People to Cyber-Attack
  • Verizon Report: Ransomware, Human Error Among Top Security Risks
  • How Secrets Lurking in Source Code Lead to Major Breaches
  • Learn How Hackers Can Hijack Your Online Accounts Even Before You Create Them
  • UK Government Cybersecurity Advisory Board Applications Now Open
  • Better together: Accelerating security and success for MSPs with automation
  • GoodWill Ransomware Demands People Help the Most Vulnerable
  • McAfee appoints Greg Johnson as new CEO
  • Protecting healthcare from cybercrime

Copyright © TheCyberSecurity.News, All Rights Reserved.