Zoom patches XMPP vulnerability chain that could lead to remote code execution

Written by , APAC Editor Chris Duckett APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio Image: Shutterstock / fizkes

Zoom users are advised to update their clients to version 5.10.0 to patch a number of holes found by Google Project Zero security researcher Ivan Fratric.

“User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Fratric said in a bug tracker description of the chain.

Looking at the way XMPP messages are parsed differently by Zoom’s server and clients, since they use different XML parsing libraries, Fratric was able to uncover an attack chain that ultimately could lead to remote code execution.

If a specially crafted message was sent, Fratric was able to trigger clients into connecting to a man-in-the-middle server

Read More: https://www.zdnet.com/article/zoom-patches-xmpp-vulnerability-chain-that-could-lead-to-remote-code-execution/#ftag=RSSbaffb68