There are probably several hundred million Windows 7 devices out there so this is serious. If you have the combination of Win 7 + Zoom you might want to block access to the app until a patch is available…:
[…] The security firm said the zero-day impacts Zoom’s Windows client, but only when the clients are running on old Windows OS versions, such as Windows 7 and Windows Server 2008 R2 and earlier.
Zoom clients running on Windows 8 or Windows 10 are not affected, according to ACROS Security CEO Mitja Kolsek.
“The vulnerability allows a remote attacker to execute arbitrary code on victim’s computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file,” Kolsek said.
“No security warning is shown to the user in the course of attack,” he added.
Kolsek said ACROS did not discover the vulnerability by itself, but instead received it from a security researcher who wanted to keep their identity secret.
ACROS reported the zero-day to Zoom earlier today and released an update to its 0patch client to prevent attacks for its own customers until Zoom releases an official fix. A demo of the zero-day being exploited, and then blocked by the 0patch client is available below.
ACROS didn’t publish any kind of technical details about the zero-day, but in a canned statement ZDNet received today from a Zoom spokesperson, the company confirmed the vulnerability and the report’s accuracy.