Zoom users have been alerted to a brand new threat which all begins with them receiving a single message. Security experts at Google’s Project Zero team has discovered a new Zoom bug where a specially crafted – and compromised – message is sent by hackers to an innocent victim. This one single Zoom chat can lead to bad actors executing malicious code on a victim’s machine as well as launching spyware and malware attacks.
Most worrying of all, this Zoom attack doesn’t even require any interaction from the victim.
The vulnerability can be exposed as long as a bad actor is able to send a Zoom message to its intended victim.
The threat was highlighted by Google Project Zero security researcher Ivan Fratric, who in a post online said: “This report describes a vulnerability chain that enables a malicious user to compromise another user over Zoom chat. User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol.”
Zoom has labelled this flaw a ‘high’ severity threat, giving it an 8.1 score out of 10 using the Common Vulnerability Scoring System (CVSS) model.
The flaw affects all versions of Zoom, but thankfully there’s a way you can keep yourself safe today.
You simply need to download the latest update for Zoom which is version 5.10.0.
Anyone that uses Zoom on Windows, Android, iOS, macOS or Linux needs to update their app right away.
Advising users about the danger, Ray Walsh – a digital privacy expert at ProPrivacy – said: “Unlike phishing attacks, for example, that require the victim to make a mistake, this remote code execution vulnerability can be carried out completely independently by hackers.
“The only saving grace is that this attack is fairly technical, making it less likely to be regularly exploited in the wild. That said, this is a serious enough flaw to warrant immediate patching by all Zoom users.”