Web conferences: Zoom seals eight security gaps
There are several security gaps in the web conferencing software, one of which is highly risky. Updates seal them.
Smartphones as webcams in a web conference.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
There are eight security vulnerabilities in Zoom's web conferencing software. Attackers can extend their rights, paralyze the services or gain unauthorized access to information. Updates are available.
In the Zoom apps for Windows, authenticated users can extend their rights because the installer does not perform sufficient input validation. Zoom does not explain what attacks could look like or what exactly the vulnerability is in the security notice (CVE-2024-27240, CVSS 7.1, risk"high").
Updated software packages
The updated software packages are available for download on the Zoom download page. If the software has not automatically updated to the newer version, users and admins should use the fresh installation packages.
The security issues fix the versions Zoom Workplace Desktop App for Linux, macOS and Windows 6.0.10, Zoom Rooms App for iPad, Mac and Windows 6.0.6, Zoom Meeting SDK for Android, iOS, Linux, macOS and Windows 6.0.10, Zoom Workplace VDI App for Windows 5.17.13 and newer versions. In some cases, even older versions are sufficient to plug some of the security holes, but the software versions are then potentially still vulnerable to one or more of the other vulnerabilities.
The individual security messages are sorted in descending order of risk:
- Zoom Apps for Windows - Improper Input Validation, CVE-2024-27240, CVSS 7.1, high
- ZoomWorkplace Apps and SDKs - Path traversal, CVE-2024-39826, CVSS 6.8, medium
- Zoom Workplace Appsand SDKs - Improper Privilege Management, CVE-2024-39819, CVSS 6 .7, medium
- Zoom WorkplaceApp for Windows and Zoom Rooms App for Windows - Race Condition, CVE-2024-39821, CVSS 6.6, medium
- Zoom Workplace Desktop Appfor macOS - Uncontrolled Search Path Element, CVE-2024-39820, CVSS 6 .6, medium
- Zoom Workplace Desktop Appfor Windows - Improper Input Validation, CVE-2024-39827, CVSS 5.5, moderate
- Zoom Appsand SDKs- Improper Input Validation, CVE-2024-27241, CVSS 5.3, medium
- Zoom Apps andSDKs - Race Condition, CVE-2024-27238, CVSS 4.4, medium
Zoom last warned in February about a vulnerability in the web conferencing programs that was classified as critical. It allowed attackers to extend their rights in the system through the Zoom Desktop Client, VDI Client and Zoom Meeting SDK, each for Windows, without prior authentication.
(dmk)