Zoom fixes two high-risk security CVE-2023-22885 & CVE-2023-22883 flaws

Video messaging giant Zoom has released patches for multiple security vulnerabilities that expose both Windows and macOS users to malicious hacker attacks. On the security bulletin, Zoom slapped a “high-severity” rating for the two vulnerabilities, CVE-2023-22885 (CVSS score of 8.3) & CVE-2023-22883 (CVSS score of 7.2).

CVE-2023-22885

Improper Trust Boundary Implementation for SMB in Zoom Clients (CVE-2023-22885)

Zoom clients prior to version 5.13.5 contain a vulnerability that stems from an improper trust boundary implementation. This flaw exposes users to potential attacks when saving local recordings to an SMB location and subsequently opening them via a link from Zoom’s web portal.

Malicious actors can exploit this vulnerability by setting up a rogue SMB server to respond to client requests, causing the client to execute attacker-controlled executables. As a result, the attacker could gain access to the user’s device and data and execute remote code. Affected products include Zoom clients (for Android, iOS, Linux, macOS, and Windows) and Zoom Rooms clients before version 5.13.5.

Local Privilege Escalation in Zoom for macOS and Windows Installers (CVE-2023-22884, CVE-2023-22883)

Zoom Client for IT Admin macOS and Windows installers before version 5.13.5 suffers from a local privilege escalation vulnerability. A low-privileged user can exploit this flaw during the installation process, escalating their privileges to root on macOS or SYSTEM users on Windows.

Denial of Service in Zoom Clients (CVE-2023-22881, CVE-2023-22882)

Zoom clients before version 5.13.5 are susceptible to a denial of service (DoS) vulnerability due to a flaw in STUN parsing. An attacker can exploit this vulnerability by sending specially crafted UDP traffic to a victim Zoom client, causing the client to crash and rendering it inoperable.

Information Disclosure in Zoom for Windows Clients (CVE-2023-22880)

Zoom for Windows clients before version 5.13.3, Zoom Rooms for Windows clients before version 5.13.5, and Zoom VDI for Windows clients before 5.13.1 are affected by an information disclosure vulnerability. This issue arises from a recent update to the Microsoft Edge WebView2 runtime, which transmits text to Microsoft’s online Spellcheck service rather than the local Windows Spellcheck.

Updating Zoom disables the feature and resolves the vulnerability. Alternatively, updating the Microsoft Edge WebView2 Runtime to at least version 109.0.1481.0 and restarting Zoom addresses the vulnerability by updating Microsoft’s telemetry behavior.

Protecting Yourself from Zoom Vulnerabilities

To safeguard your devices and data from these vulnerabilities, ensure you update your Zoom clients to the latest versions, as recommended by the company. By staying informed and vigilant, you can continue to enjoy Zoom’s services while minimizing security risks.