Zoom patches critical security flaws across its Windows apps — update now to stay safe

News
By Sead Fadilpašić
published

Multiple Zoom flaws could trigger escalation of privilege and information disclosure

Zoom pronouns
(Image credit: Zoom)

Zoom has fixed a major vulnerability in its Windows apps that allowed threat actors to escalate privileges remotely.

The company’s offensive team recently found an improper input validation flaw in Zoom Desktop Client for Windows before version 5.16.5, Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12), Zoom Rooms Client for Windows before version 5.17.0, and Zoom Meeting SDK for Windows before version 5.16.5.

The flaw is tracked as CVE-2024-24691 and carries a severity rating of 9.6 - critical.

Patching the flaws

Although the company did not detail the flaw, the publication speculates that it requires some level of victim interaction in order to be abused, citing the CVSS vector. This interaction, given usual hacking practices, could involve clicking a link, opening a malware-laden email attachment, or something similar.

Zoom has an automatic updater, so the next time you bring up the app, it should update on its own. For those that have disabled automatic updates, here’s a link where you can find the version 5.17.7 for Windows.

In the same advisory, Zoom also announced addressing six additional vulnerabilities, including one that allows privilege escalation through local access, three that allow information disclosure remotely, and one that allows for the denial of service, over the network. 

The company advises users to apply the patch as soon as possible to protect their endpoints.

Zoom is a popular cloud-based video conferencing service which companies often use to run remote meetings and calls, education, demonstrations, and similar. It rose to prominence during the Covid-19 pandemic, quickly becoming the most-used application in the world. At one point, it had 300 million daily meeting users. 

This also attracted plenty of hackers who saw this as an opportunity to steal sensitive company data, putting the spotlight on patches and quick fixes.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.