Researchers discover critical Zoom vulnerability, win $200,000


San Francisco, Apr 9 (IANS): Security researchers have discovered a zero-day vulnerability in video conferencing platform Zoom which can be used by cybercriminals to launch remote code execution (RCE) attacks.

The vulnerability was discovered as part of a contest, Pwn2Own, organised by cybersecurity firm Trend Micro's Zero Day Initiative (ZDI), a programme designed to reward security researchers for responsibly disclosing vulnerabilities.

The researchers from the Netherlands-based Computest won $200,000 for the discovery.

"Confirmed! The duo of Daan Keuper and Thijs Alkemade from Computest used a 3-bug chain to exploit #Zoom messenger with 0 clicks from the target. They win $200,000 and 20 points towards Master of Pwn. #Pwn2Own," Zero Day Initiative tweeted on Thursday.

The competition included 23 separate entries, targeting 10 different products in the categories of web browsers, virtualisation, servers, local escalation of privilege, and enterprise communications.

The specific technical details of the vulnerability have not been made public as Zoom has not yet had time to patch the security issue, ZDNet reported.

In vulnerability disclosure programmes, it is a standard practice to offer vendors a 90-day window to fix a newly discovered security issue.

As noted by Malwarebytes, the attack works on the Windows and Mac version of the Zoom software, but it does not affect the browser version.

It is not not clear whether the iOS- and Android-apps are vulnerable since Keuper and Alkemade did not look into those, according to the report.

While thanking the Computest researchers, Zoom, in a statement to Tom's Guide, said the company was "working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue".

 

  

Top Stories


Leave a Comment

Title: Researchers discover critical Zoom vulnerability, win $200,000



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.