Update Your Zoom Client ASAP

The COVID-19 pandemic propelled Zoom as the choice for video conferencing in both professional and personal circles. While Microsoft Teams is a close second, the name “Zoom” has become a noun and a verb, similar to how we “Google” questions on the internet. As such, the program is installed on millions of machines across the globe: If Zoom ever has a security issue, it affects a significant number of users all at once.

This is the situation we find ourselves in this week: The company announced four vulnerabilities on its Security Bulletin site that affect all Zoom users running the app with versions earlier than 5.10.0. Two of these vulnerabilities are classified as “High” severity, while the other two are classified as “Medium” severity. Three of these vulnerabilities apply to Zoom Client for Meetings for Windows, macOS, Linux, iOS, and Android, so it’s important to make sure all of the clients on your various devices are fully updated, not just your primary machine.

The most critical vulnerability, with a CVSS (Common Vulnerability Scoring System) score of 8.1, is tracked as CVE-2022-22784: The flaw allows for a bad actor to send a custom XMPP (Extensible Messaging and Presence Protocol) message to another user, enabling the malicious user to take control of the target’s Zoom client. Essentially, you could receive a seemingly innocent message from a random account, which, in reality, would actually be an illegitimate message designed to run malicious code on your app.

The other vulnerability rated as “High” is CVE-2022-22786, and is an issue where Zoom doesn’t check the installation version of an update as the update is happening. A malicious user could take advantage of this flaw to trick users into downgrading their Zoom apps to less secure versions. This flaw, unlike the other three, only applies to the Windows versions of Zoom Client for Meetings and Zoom Rooms for Conference Room.

The two “Medium” vulnerabilities are CVE-2022-22785 and CVE-2022-22787. The former doesn’t properly constrain client cookies to Zoom domains, which could allow bad actors to spoof a user’s Zoom account by sending that user’s Zoom-scoped session cookies to a non-Zoom domain. The second vulnerability doesn’t the hostname when there is a server switch request, which could be abused to direct a user’s Zoom client to connect to a malicious server.

Ivan Fratric of Google Project Zero discovered and reported all four of these flaws to Zoom.

The good news is your Zoom app might have updated by itself: In December, the company introduced automatic updates for macOS and Windows users, which can help ensure you always have these security patches installed on your desktop clients. To check if this setting is enabled, open your Zoom client, log in, then click your profile and choose “Settings.” Under “General,” make sure “Automatically keep Zoom desktop client up to date” is checked. Next to Update Channel, you can choose “Fast” or “Slow,” which will determine the speed at which you receive new updates.

You can also make sure your iOS and Android Zoom clients are automatically updated as well. On Android, open the Play Store, tap your profile, then Settings > Network Preferences > Auto-update apps. Choose from either “Over any network to update apps using either Wi-Fi or mobile data,” or “Over Wi-Fi only to update apps only when connected to Wi-Fi.” On iOS, open Settings, tap App Store, then, under “Automatic Downloads,” enable “Apps and App Updates.”

Cover photo by iyus sugiharto on Unsplash