by Mitja Kolsek, the 0patch Team
Earlier this week a security researcher shared a remote code execution "0day" vulnerability in Zoom Client for Windows with our team. The vulnerability allows a remote attacker to execute arbitrary code on victim's computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file. No security warning is shown to the user in the course of attack.
The researcher (who wants to keep their identity private) stated that they did not report the vulnerability to Zoom either directly or through a broker, but would not object to us reporting it to Zoom.
We analyzed the issue and determined it to be only exploitable on Windows 7 and older Windows systems. While Microsoft's official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life with Microsoft's Extended Security Updates or with 0patch.
We then documented the issue along with several attack scenarios, and reported it to Zoom earlier today along with a working proof of concept and recommendations for fixing. Should a bug bounty be awarded by Zoom, it shall be waived in favor of a charity of researcher's choice.
On the micropatching side, we were able to quickly create a micropatch that removes the vulnerability in four different places in the code. The micropatch was then ported from the latest version of Zoom Client for Windows (5.1.2) to previous five versions back to 5.0.3 released on May 17, 2020. Zoom Client features a fairly persistent auto-update functionality that is likely to keep home users updated unless they really don't want to be. However, enterprise admins often like to keep control of updates and may stay a couple of versions behind, especially if no security bugs were fixed in the latest versions (which is currently the case).
Our micropatches have already been released and distributed to all online 0patch Agents; Zoom users with 0patch installed are therefore no longer affected by this issue.
According to our guidelines, we're providing these micropatches to everyone for free until Zoom has fixed the issue or made a decision not to fix it. To minimize the risk of exploitation on systems without 0patch, we're not publishing details on this vulnerability until Zoom has fixed the issue, or made a decision not to fix it, or until such details have become public knowledge in any way.
To obtain the free micropatch for this issue and have it applied on your computer(s), create a free account in 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.
To learn more about 0patch, please visit our Help Center.
Exploit without and with the micropatch
This video demonstrates how an actual attack could look like, and how 0patch blocks the attack. When 0patch is disabled (or absent), user's clicking on the "Start Video" button triggers the vulnerability and leads to a "HACKED" dialog being shown (of course anything else could be executed instead). With 0patch enabled, the vulnerability is removed from the running Zoom.exe process and clicking on the "Start Video" button does not result in execution of malicious code.
Note that in order to prevent revealing too much information, some prior user activity inside Zoom Client user interface is not shown in the video.
Frequently Asked Questions
Q: Am I affected by this vulnerability if I'm using Windows 10 or Windows 8?
A: No, this vulnerability is only exploitable on Windows 7 and earlier Windows versions. It is likely also exploitable on Windows Server 2008 R2 and earlier though we didn't test that; either way, our micropatch will protect you wherever you're using Zoom Client.
Q: Am I affected by this vulnerability if I'm using Windows 7 fully updated with Extended Security Updates?A: Yes.
Q: Are other Zoom products affected by this vulnerability too?
A:We did not test any other Zoom products, however only those running on Windows could potentially be affected by this vulnerability.
Q: Is your micropatch for this vulnerability completely free?
A: Yes. If you already have 0patch Agent installed and registered, everything will happen automatically. If not, you only need to create a free account in 0patch Central, install 0patch Agent and register it to your account, then all FREE micropatches will be automatically downloaded to your computer and applied as needed. Once Zoom has fixed this issue, this micropatch will no longer be free and will only be available to 0patch PRO license holders.
Q: If I use 0patch to fix this vulnerability, what will happen when Zoom issues an updated version of Zoom Client for Windows?
A: 0patch is designed such that when a vulnerable executable module is replaced by a new version, any micropatches that were made for that vulnerable module automatically stop applying (because the cryptographic hash of the module changes). When Zoom issues an updated Client for Windows and you install it on your computer, our micropatch will become obsolete. In case this updated Zoom Client does not fix this vulnerability, we'll port the micropatch and make it available for free as quickly as possible.
Q: How do I know that the micropatch was actually applied to my Zoom Client?
A: First launch Zoom, then open 0patch Console and view the log. You should be able to find log entries like "Patch ... applied in application Zoom.exe"
Q: I installed 0patch Agent to fix this vulnerability but it is showing a large amount of popups notifying me about missing patches regardless of popup settings in 0patch Console. What can I do to make this stop?
A: We're aware that popups in the FREE plan have become pretty disturbing due to the increased amount of patches, and are fixing that in the next agent version scheduled to be out next week. If you can't wait, feel free to download the current 0patch Agent release candidate and install it on top of your already installed 0patch Agent. When this release candidate is installed, 0patch Console will show that a “New agent is available”. Please ignore that – the server simply tells the agent that the version it is running is not the current official version. The message will stop appearing when the new agent is officially released.
We'd like to thank the security researcher who shared the vulnerability with us so we could provide quick protection for our existing users and everyone else affected. We're very pleased to see an increase of such collaboration within security community and call upon all security researchers to help us protect users and share vulnerability information with us, whether or not they have also shared it with the original vendor. We'll do our best to turn your reports into patches as quickly as possible. Thank you all!