The Register reports that fixes have been issued by Zoom for a medium-severity security flaw, tracked as CVE-2022-22787, which could be abused to facilitate malicious code execution.
Attackers could exploit the vulnerability, discovered and reported by Google Project Zero bug hunter Ivan Fratric, to conduct "XMPP stanza smuggling" attacks that deliver malware and spyware without the need for user interaction.
"The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol," said Fractric, who added that XML parsing inconsistencies in the Zoom client and server software are being leveraged to allow malicious XMPP stanza smuggling to the victim client.
Abusing the flaw through a man-in-the-middle server also showed numerous /clusterswitch endpoint data.
"Since the attacker is already in the man-in-the-middle position, they can replace any of the domains with their own, acting as a reverse proxy and intercepting communications," Fractric added.
Risk Assessments/Management, Breach, Application security
Zoom fixes malware infecting vulnerability
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds