The specifics of a zero-click remote code execution attack targeting the Zoom video conferencing software have been revealed by Google’s Project Zero.
Ivan Fratric of Project Zero has outlined an attack chain that may be leveraged by a hostile actor to compromise a Zoom user via the chat feature — without the user’s knowledge — by sending them an XMPP message. The exploit chain used by Fratric has been called “XMPP Stanza Smuggling.”
Six vulnerabilities have been identified by Fratric. CVE-2022-25235 and CVE-2022-25236 are two of the issues that affect the popular open source XML parser Expat. Because the library is used in so many projects, IBM, Aruba, several Linux distributions, Oracle, and F5 have all issued advisories to inform their customers about the consequences of these and other Expat vulnerabilities.
Read More: https://www.securityweek.com/google-discloses-details-zoom-zero-click-remote-code-execution-exploit