Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol messages and execute malicious code.
CVE-2022-22786 – Update package downgrade in Zoom Client for Meetings for Windows.
CVE-2022-22787 – Insufficient hostname validation during server switch in Zoom Client for Meetings.
With Zoom’s chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.
Specifically, the exploit chain can be weaponized to hijack the software update mechanism and make the client connect to a man-in-the-middle server that serves up an old, less secure version of the Zoom client.
The patches arrive less than a month after Zoom addressed two high-severity flaws that could lead to local privilege escalation and exposure of memory content in its on-premise Meeting services.