Security News > 2022 > May > Patch now: Zoom chat messages can infect PCs, Macs, phones with malware
Zoom has fixed a security flaw in its video-conferencing software that a miscreant could exploit with chat messages to potentially execute malicious code on a victim's device.
The upshot is that someone who can send you chat messages could cause your vulnerable Zoom client app to install malicious code, such as malware and spyware, from an arbitrary server.
As Zoom explained in a security bulletin, these earlier software versions fail "To properly validate the hostname during a server switch request."
"The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol," Fratric noted.
XMPP is the messaging protocol that Zoom uses for its chat functionality.
XMPP stanza smuggling can be used for a variety of nefarious purposes - everything from spoofing messages to make them look like they are coming from a different user to sending control messages that will be accepted as if they are coming from the server.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/05/24/zoom_rce_bug_patched/