Zoom Patches Legacy Windows Zero-Day Bug

Written by

Zoom has fixed a zero-day vulnerability announced last week which affects legacy Windows customers.

The popular video conferencing platform worked quickly to patch the bug, which was announced by Acros Security in a blog post at the same time as the firm itself was informed.

“Zoom addressed this issue, which impacts users running Windows 7 and older, in the 5.1.3 client release on July 10,” noted a brief statement sent to Infosecurity.

“Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.”

There were no details provided of the software flaw at the time, but it’s believed to have required some kind of user interaction to exploit, possibly via a phishing email. It was characterized as enabling arbitrary remote code execution.

While Windows 7 is technically no longer officially supported by Microsoft, there are still plenty of organizations out there with Extended Security Updates or who use virtual patching to maintain legacy installations.

Zoom released a further update on Sunday designed to deliver “minor bug fixes,” as well as AES-256 bit encryption for Zoom phone devices, call monitoring capabilities, customized speed dial and more.

Back in April, Zoom became a victim of its own success after several serious vulnerabilities were found in its platform by researchers, after the product’s daily meeting participants had soared from 10 million in December to roughly 200 million in March.

These included a vulnerability in the Zoom Windows client which could have been exploited to steal user passwords, and two flaws in the macOS app which could have been abused to remotely install malware or eavesdrop on users.

The firm announced Salesforce senior vice-president of security operations, Jason Lee, as its new CISO last month, and has also brought on board several high-profile industry experts as consultants and advisors.

These include former Facebook CSO, Alex Stamos, John Hopkins cryptography expert Matthew Green, Luta Security and NCC Group.

What’s hot on Infosecurity Magazine?