Critical Vulnerability in Zoom Discovered During Pwn2Own
The Flaw Triggers Remote Code Execution Without User Interaction on the Windows and Mac Versions of Zoom, But It Doesn’t Affect the Browser Version.
Security researchers discovered a zero-day vulnerability in video conferencing platform Zoom which can be used by threat actors to launch remote code execution (RCE) attacks.
The flaw was discovered as part of the Pwn2Own contest, organized by cybersecurity firm Trend Micro’s Zero Day Initiative (ZDI). The competition is designed for white-hat cybersecurity specialists who take part in the discovery of zero-day vulnerabilities in popular software and services.
Daan Keuper and Thijs Alkemade, from the Netherlands-based Computest, won $200,000 for their Zoom discovery.
The researchers revealed a three-bug attack chain that caused an RCE on a target machine, without any form of user interaction.
Confirmed! The duo of Daan Keuper and Thijs Alkemade from Computest used a 3-bug chain to exploit #Zoom messenger with 0 clicks from the target. They win $200,000 and 20 points towards Master of Pwn. #Pwn2Own pic.twitter.com/dLFpH1uq8G
— Zero Day Initiative (@thezdi) April 7, 2021
Since Zoom has not yet had time to patch the security issue, the specific technical details of the vulnerability have not been made public. It is a standard practice to offer vendors a 90-day window to fix a newly discovered security flaw.
However, the Zero Day Initiative posted an animated gif of the attack to demonstrate how a threat actor was able to open the calculator program of a PC running Zoom following its exploit.
We’re still confirming the details of the #Zoom exploit with Daan and Thijs, but here’s a better gif of the bug in action. #Pwn2Own #PopCalc pic.twitter.com/nIdTwik9aW
— Zero Day Initiative (@thezdi) April 7, 2021
According to a Malwarebytes report, the attack works on the Windows and Mac versions of the Zoom software, but it does not affect the browser version. It is not clear whether the iOS and Android apps are vulnerable since Keuper and Alkemade did not look into them.
Following the discovery, Zoom expressed its gratitude to the winning team saying
We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target’s same organizational account.
As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center.
For the time being, the only ones that know how the vulnerability works are the two cybersecurity researchers and Zoom. As long as it stays that way there is not much that Zoom users have to worry about. The chances of this attack being used in the wild are low, but if you’re concerned, you can use the Zoom browser interface until a patch is released.