According to the latest update the new arrival of the most demandable and real end-to-end encryption feature which apparently published because that was only available for the paid user. The main information of the critical vulnerabilities discovered latest.

The researcher from Cisco has mentioned in his comment that it was discovered the two vulnerabilities in the Zoom video conferencing software that could have allowed cyber attackers to compromise the machine of the group user chat or any individual recipient remotely.

Both the mistakes have made a path for the attacker to be vulnerable and can be exploited to write arbitrary files on the run=ing machine and vulnerable to any version of the Zoom Video conferencing software and also execute the malicious code.

According to the researcher, it was found that the successful exploitation of both the issues required little interaction form the participant user and execute the malicious code by some specially crafted message through the chat systems to an individual or a group.

The Previous vulnerabilities (CVE-2020-6109) also resided in the way Zoom leverages GIPHY services which were recently bought by Facebook,  let the users search and exchange animated GIFs while chatting.

The team who is in finding the source of hacking the machine, they found that the Zoom application did not check whether the shared GIF is loading from Giphy Services or from another source. The attacker embedded the GIFs from the third party attackers-controller server which zoom by the design cache/store on the recipient’s system in the specific folder which is associated with the application.

The application did not have filenames checking facilities that could allow the hackers to achieve the directory and trick the application into saving malicious files which are in the form of GIFs and sent to any location of the victim’s system.

The second remote code was used for the execution of malicious machines residing in the vulnerable version of the zoom application and process code of the snippets which are shared through the chat.

The researcher also said that the Zoom’s Video conferencing application chat process uses the XMPP standard with an additional extension to help and give a good user-friendly experience. In between, one of the extensions supports the feature of including source code snippets which have the syntax highlighting support. This feature sends the code snippets required by the installation of an additional plugin but receiving them does not.

The above feature used to create a zip of the shared code snippet before sending and that automatically unzips it with the recipient’s system.

From the source, it was mentioned that the Zoom Zip file extraction feature has never validated the content of the Zip file before the extraction process and allows the attacker to malicious code of the target computer.

Last Month Zoom patched both the code vulnerabilities and released version 4.6.12 the previous version 4.6.10 contained the vulnerabilities and now the video conferencing software is safe for windows, Mac OS, and Linux. 

If you feel anything about the comment. Please! Drop your comments below.

The post Zoom Chat let the hacker’s victimize the user appeared first on Vednam.