Two Critical Flaws in Zoom Application version 4.6.10

  • CERT Admin
  • Wed Jun 10 2020
  • Alerts

Systems Affected 

Zoom application version 4.6.10 

Threat Level 

Medium 

Overview 

Two vulnerabilities that can be used by the attackers to hack into the zoom application via chat have been identified by cybersecurity researchers.

Description 

This is not applicable to the end-to-end encryption feature that is available only to paid customers. Cybersecurity researchers have identified two vulnerabilities which can be used to gain remote access to the system when using the free version 4.6.10. First vulnerability (CVE-2020-6109) resides in the zoom GIPHY service which lets participants to exchange GIFs while chatting. An attacker could send maliciously crafted GIF image to take over the system. Second vulnerability (CVE‐2020‐6110) resides in the way zoom application process code snippets shared through the chat which could also can be exploited to gain remote access to the system. Vulnerabilities were identified and tested on the version 4.6.10 of the Zoom application. Zoom has subsequently released a security patch which is version 4.6.12. 

Impact 

  ✻  Possibility of exposing confidential information to unauthorised parties 

Solution/ Workarounds 

  ✻  Users are advised to install the free security patch and update to the latest version 4.6.12 of Zoom;
     https://zoom.us/docs/en-us/zoom-v5-0.html?zcid=1231  

References 

  ✻  https://www.cert-in.org.in
  ✻  https://zoom.us/docs/en-us/zoom-v5-0.html?zcid=1231
  ✻  https://thehackernews.com/2020/06/zoom-video-software-hacking.html  

Disclaimer 

The information provided herein is on "as is" basis, without warranty of any kind. 

Last updated: Wed Jun 10 2020