Security News > 2022 > January > Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers
An exploration of zero-click attack surface for the popular video conferencing solution Zoom has yielded two previously undisclosed security vulnerabilities that could be exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory.
Natalie Silvanovich of Google Project Zero, who discovered and reported the two flaws last year, said the issues impact both Zoom clients and Multimedia Router servers, which transmit audio and video content between clients in on-premise deployments.
"The lack of ASLR in the Zoom MMR process greatly increased the risk that an attacker could compromise it," Silvanovich said.
While most video conferencing systems use open-source libraries such as WebRTC or PJSIP for implementing multimedia communications, Project Zero called out Zoom's use of proprietary formats and protocols as well as its high licensing fees as barriers to security research.
"Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it," Silvanovich said.
"While the Zoom Security Team helped me access and configure server software, it is not clear that support is available to other researchers, and licensing the software was still expensive."
News URL
https://thehackernews.com/2022/01/google-details-two-zero-day-bugs.html
Related news
- Google: Spyware vendors behind 50% of zero-days exploited in 2023 (source)
- Miscreants are exploiting enterprise tech zero days more and more, Google warns (source)
- Google fixes Chrome zero-days exploited at Pwn2Own 2024 (source)
- Zero-day exploitation surged in 2023, Google finds (source)
- Google fixes two Pixel zero-day flaws exploited by forensics firms (source)
- Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies (source)
- Google fixes one more Chrome zero-day exploited at Pwn2Own (source)
- Google fixes fifth Chrome zero-day exploited in attacks this year (source)
- Google fixes Chrome zero-day with in-the-wild exploit (CVE-2024-4671) (source)
- Google Chrome emergency update fixes 6th zero-day exploited in 2024 (source)