Google’s Project Zero vulnerability research team detailed critical vulnerabilities Zoom patched last week making that made it possible for hackers to execute zero-click attacks that remotely ran malicious code on devices running the messaging software.
Tracked as CVE-2022-22786 and CVE-2022-22784, the vulnerabilities made it possible to perform attacks even when the victim took no action other than to have the client open. As detailed on Tuesday by Google Project Zero researcher Ivan Fratric, inconsistencies in how the Zoom client and Zoom servers parse XMPP messages made it possible to “smuggle” content in them that usually would be blocked. By combining those flaws with a glitch in the way Zoom’s code-signing verification works, Fratric achieved full code execution.
“User interaction is not required for a successful attack,” the researcher wrote. “The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol.” Fratric continued: