[German]ACROS Security has released a micropatch for the Remote Code Execution (RCE) vulnerability in Zoom for Windows. There is no CVE identifier for the vulnerability.
Mitja Kolsek of ACROS Security privately informed me that the micropatch for the 0-day RCE vulnerability in Zoom for Windows is available.
RCE vulnerability in Zoom for Windows
As Kolsek writes here, earlier this week a security researcher informed the ACROS Security Team about a “0day” vulnerability in the Zoom Client for Windows. The vulnerability allows a remote attacker to execute arbitrary code on the victim’s computer where the Zoom Client for Windows (any currently supported version) is installed. He only needs to trick the user into performing some typical actions, such as opening a document file. During the course of the attack, the user will not receive a security warning.
The researcher (who wants to keep his identity secret) stated that he had not reported Zoom’s vulnerability either directly or through an intermediary, but he wouldn’t mind if we informed Zoom about it.
Only Windows 7 affected
The people at ACROS Security have analyzed the problem and found that it is only exploitable on Windows 7 and older Windows systems. Although Microsoft’s official support for Windows 7 expired in January this year, there are still millions of home and business users who are extending the life of Windows 7 with Microsoft’s Extended Security Updates or with 0patch.
ACROS Security then documented the problem along with several attack scenarios and informed Zoom a few hours ago, along with a working proof of concept and recommendations for fixing the problem. Should a bug bounty be awarded by Zoom, this will be waived in favor of a charity of the researcher’s choice.
As for micropatching, the people at ACROS Security were able to quickly create a micropatch that fixes the vulnerability in four different places in the code. The micropatch was then backported from the latest version of the Zoom client for Windows (5.1.2) to the previous five versions of the Zoom client (up to version 5.0.3 released on May 17, 2020). The Zoom client has a fairly consistent auto-update functionality that home users are likely to keep up to date unless they have disabled updates. However, corporate administrators often like to keep control of updates and may hold back some versions, especially if security bugs have not been fixed in the latest versions (which is currently the case).
The ACROS security micropatches have already been released and distributed to all online 0patch agents; zoom users with 0patch installed are therefore no longer affected by this problem. According to Acros Security guidelines, these micropatches are available to all users free of charge until Zoom has resolved the problem or decided not to resolve it.
In order to minimize the risk of exploitation on systems without 0patch, the security researchers will not release details of this vulnerability until Zoom has fixed the problem or made a decision not to fix it, or until these details have been made public in some way.
To obtain the free micropatch for this issue and apply it to a computer, create a free account in 0patch Central and install 0patch Agent. For information on how the 0patch Agent works, which loads the micropatch into memory at runtime of an application, please refer to the blog posts (e.g. here) I have linked below. Details about the above patch can be found on the 0pacth website.
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2