Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Two Critical Flaws in Zoom Application version 4.6.10

 

Systems Affected



Threat Level


Medium


Overview


Two vulnerabilities that can be used by the attackers to hack into the zoom application via chat have been identified by cybersecurity researchers


Description


This is not applicable to the end-to-end encryption feature that is available only to paid customers. Cybersecurity researchers have identified two vulnerabilities which can be used to gain remote access to the system when using the free version 4.6.10.

First vulnerability (CVE-2020-6109) resides in the zoom GIPHY service which lets participants to exchange GIFs while chatting. An attacker could send maliciously crafted GIF image to take over the system. Second vulnerability (CVE‐2020‐6110) resides in the way zoom application process code snippets shared through the chat which could also can be exploited to gain remote access to the system.

Vulnerabilities were identified and tested on the version 4.6.10 of the Zoom application. Zoom has subsequently released a security patch which is version 4.6.12.


Impact


  ✻  Possibility of exposing confidential information to unauthorised parties


Solution/ Workarounds


  ✻  Users are advised to install the free security patch and update to the latest version 4.6.12 of Zoom;
     https://zoom.us/docs/en-us/zoom-v5-0.html?zcid=1231


References


  ✻  https://www.cert-in.org.in
  ✻  https://zoom.us/docs/en-us/zoom-v5-0.html?zcid=1231
  ✻  https://thehackernews.com/2020/06/zoom-video-software-hacking.html


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.