Zero-day flaw found in Zoom for Windows 7

Written by

A previously unknown flaw in the videoconferencing software Zoom could allow a hacker to remotely commandeer computers running old versions of the Microsoft Windows operating system, security researchers said Thursday.

A hacker who successfully exploits the vulnerability could access files on the vulnerable computer, said Mitja Kolsek, chief executive of ACROS Security, the Slovenian cybersecurity firm that highlighted the issue. “If the user is a local administrator, the attacker could completely take over the computer,” Kolsek told CyberScoop.

The “zero-day” vulnerability applies to Zoom software running on Windows 7, or even older operating systems.

Microsoft has tried to phase technical support out for Windows 7 in an effort to encourage users to upgrade to more secure operating systems. But Windows 7 is still widely used, and some organizations have struggled to move their computers to the latest Windows software en masse.

Kolsek said he is holding off on publishing a full exploit for the vulnerability until Zoom gets it fixed. His company is offering free mitigations for the issue, he said.

“Zoom takes all reports of potential security vulnerabilities seriously,” a Zoom spokesperson said in a statement. “This morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it.”

The disclosure is the latest security challenge for Zoom, whose popularity has soared around the world as people telework during the coronavirus pandemic. Some 200 million people used the software on a daily basis in March.

The San Jose, California-based company has hired new security personnel in an effort to respond to increased scrutiny of its code from outside researchers. After criticism of its decision to charge users for an end-to-end encryption service, Zoom reversed course last month and offered it for free.

UPDATE1:11 p.m. EDTThis story has been updated with a statement from Zoom.