Zoom Releases Patches for Multiple Critical Security Vulnerabilities

Video messaging giant Zoom has released patches for multiple security vulnerabilities in its software. The vulnerabilities affect Zoom clients for Windows, macOS, Linux, iOS, and Android, as well as the Zoom Rooms platform.

Improper Input Validation – (CVE-2023-39209, CVE-2023-39216, CVE-2023-39217, CVSS scores of 5.9, 9.6, 5.3)

These vulnerabilities affected various versions of Zoom’s desktop client for Windows. They allowed both authenticated and unauthenticated users to exploit improper input validation, leading to possible information disclosure or escalation of privileges. The prompt patching of these issues marks an essential step in safeguarding user privacy.

One of the most serious vulnerabilities, CVE-2023-39216, allows an unauthenticated attacker to enable an escalation of privilege via network access. This vulnerability is caused by improper input validation in the Zoom Desktop Client for Windows. An attacker could exploit this vulnerability by sending a specially crafted message to a Zoom user, which could then be used to gain administrative privileges on the user’s system.

Exposure of Sensitive Information – (CVE-2023-39214, CVSS score of 7.6)

The Zoom Client SDK’s were found to expose sensitive information that could be leveraged by an authenticated user to enable a denial of service. With this vulnerability affecting Windows, iOS, Android, macOS, and Linux, the breadth of the risk was widespread, making the patching process crucial for all users.

Improper Privilege Management and Untrusted Search Paths -(CVE-2023-39211, CVE-2023-39212, CVE-2023-36540, CVSS scores of 8.8, 7.9, 7.3)

These vulnerabilities presented significant risks, enabling authenticated users to misuse privileges, disclose information, or cause denial of service attacks. Their presence in various Windows applications of Zoom underlined the urgency of addressing them.

Escalation of Privileges and Other Risks – (CVE-2023-36534, CVE-2023-36541, CVE-2023-39213, CVSS scores of 9.3, 8.0, 9.6)

Other noteworthy vulnerabilities include path traversal in Zoom’s desktop client for Windows, and insufficient verification of data authenticity. These flaws had the potential to allow unauthenticated or authenticated users to enable an escalation of privilege, further emphasizing the multi-faceted nature of cybersecurity.

Another serious vulnerability, CVE-2023-36534, allows an unauthenticated attacker to enable a path traversal attack. This vulnerability is caused by a flaw in the Zoom Desktop Client for Windows. An attacker could exploit this vulnerability by sending a specially crafted URL to a Zoom user, which could then be used to access sensitive files on the user’s system.

CVE-2023-39213 allows an unauthenticated user to enable an escalation of privilege via network access. This vulnerability is caused by the improper neutralization of special elements in the Zoom Rooms for Windows and Zoom VDI Client. An attacker could exploit this vulnerability by sending a specially crafted message to a Zoom user, which could then be used to gain administrative privileges on the user’s system.

And Many More.

The comprehensive list of vulnerabilities addressed by Zoom also included issues related to clear text storage of sensitive information, client-side enforcement of server-side security, uncontrolled resource consumption, and buffer overflow. These vulnerabilities had varying levels of severity, affecting a wide array of Zoom’s products and platforms.

Protecting Yourself: What Can You Do?

Zoom users are encouraged to update their software to the latest version as soon as possible to protect themselves from these vulnerabilities. The latest version of Zoom is available for download from the Zoom website.