Zoom has released multiple security updates revealing newly discovered vulnerabilities in its Workplace Apps across various platforms, including Windows, macOS, Linux, iOS and Android.
Among the seven security issues discovered, one was marked as high severity due to its potential impact.
The reported flaws could have allowed hackers to escalate privileges within the affected applications by exploiting various attack vectors, posing risks to user data and system integrity.
- Essential Zoom Security Practices Every IT Leader Should Implement: Securing the Digital Workforce
- The Ultimate Zoom Communications Guide: Everything You Need to Know
In its advisory, the company said: “Zoom does not provide guidance on vulnerability impacts to individual customers due to a Zoom Security Bulletin or provide additional details about a vulnerability.
We recommend users to update to the latest version of Zoom software in order to get the latest fixes and security improvements.”
The updates affect both general app versions and Windows-specific builds.
What Were the Risks?
The most critical vulnerability was a Time-of-check, Time-of-use (TOCTOU) flaw, which occurs when there is a race condition between checking and using a resource. This issue could potentially allow malicious actors to gain unauthorised access or elevate their privileges within the Zoom Workplace Apps environment.
TOCTOU vulnerabilities are particularly dangerous as they can be exploited by attackers to manipulate system states during brief windows of opportunity, leading to significant security breaches if left unpatched.
Other vulnerabilities were ranked as having a medium severity, including an integer underflow issue in Zoom Workplace apps for Windows, a buffer over-read issue in Zoom Workplace apps for Windows, and two NULL pointer dereference issues in Zoom Workplace apps for Windows.
Currently, none of the flaws are known to have led to attacks.
What Can You Do?
Zoom has urged users and administrators of Zoom Workplace Apps to update their software promptly to mitigate risks associated with these vulnerabilities.
The company says it continues to monitor its platforms for security threats and encourages responsible disclosure of potential security issues.
