Zoom has addressed a medium-severity bug and advised customers to update their client software to version 5.10.0 for Windows, MacOS, iOS, and Android.
An attacker can exploit a victim’s machine over a zoom conversation, according to Google Project Zero security researcher Ivan Fratric. The vulnerability is identified as CVE-2022-22787 and has a CVSS severity level of 5.9. Zero-click attacks do not require users to take any action and are particularly effective because they can affect even the most tech-savvy consumers. Extensible Messaging Presence Protocol (XMPP) is a protocol for exchanging messages and presence information in real time by sending XML components called stanzas via a stream connection.
Zoom’s chat feature makes use of this messaging protocol. CVE-2022-22786 (CVSS score 7.5) impacts Windows users, while CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impacted Zoom client versions before 5.10.0 running on Android, iOS, Linux, MacOS, and Windows platforms, according to a security bulletin provided by Zoom.