A previously unknown flaw in the videoconferencing software Zoom could allow a hacker to remotely commandeer computers running old versions of the Microsoft Windows operating system, security researchers said Thursday.
A hacker who successfully exploits the vulnerability could access files on the vulnerable computer, said Mitja Kolsek, chief executive of ACROS Security, the Slovenian cybersecurity firm that highlighted the issue. “If the user is a local administrator, the attacker could completely take over the computer,” Kolsek told CyberScoop.
The “zero-day” vulnerability applies to Zoom software running on Windows 7, or even older operating systems.
Microsoft has tried to phase technical support out for Windows 7 in an effort to encourage users to upgrade to more secure operating systems. But Windows 7 is still widely used, and some organizations have struggled to move their computers to the latest Windows software en masse.
Kolsek said he was holding off on publishing a full exploit for the vulnerability until Zoom gets it fixed. His company offered free mitigations for the issue, he said.
After acknowledging the vulnerability on Thursday, Zoom said Friday that it had release a patch for the flaw. “Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates,” a company spokesperson said.
The software bug is the latest security challenge for Zoom, whose popularity has soared around the world as people telework during the coronavirus pandemic. Zoom had about 200 million daily meeting participants in March.
The San Jose, California-based company has hired new security personnel in an effort to respond to increased scrutiny of its code from outside researchers. After criticism of its decision to charge users for an end-to-end encryption service, Zoom reversed course last month and offered it for free.
UPDATE, 07/10/20, 11:41 a.m. EDT: This story has been updated with a statement from Zoom.