Home > Categories > Web Conferencing > Two New Zoom Vulnerabilities Uncovered – Upgrade Now!

Software Category

Web Conferencing

Write Review

Two New Zoom Vulnerabilities Uncovered – Upgrade Now!

June 2020

Two new vulnerabilities in Zoom’s web conferencing software were discovered in early June 2020. These vulnerabilities could allow malicious actors the ability to execute arbitrary code on target hosts and exploit path traversal vulnerabilities in the software. Zoom’s latest update addresses and remediates the vulnerabilities.

Path Traversal attacks enable access to files and directories outside of a web root folder, which would allow a malicious actor to access files stored on a system that were not meant to be publicly available to the web application.

The vulnerabilities were uncovered by Cisco Talos and are listed under Common Vulnerabilities and Exposures (CVE) ID numbers CVE-2020-6109 and CVE-2020-6110. CVE-2020-6109 affects GIPHY, the messaging and animated GIF application. CVE-2020-6110 exploits a chat code snippet in Zoom.

The vulnerabilities are found in version 4.6 of Zoom, one of which “impacts Zoom 4.6.10, 4.6.11 and likely earlier versions, [while the other] only affects 4.6.10 and earlier.”, according to Security Week.

Source: SoftwareReviews. Accessed June 9, 2020

Both vulnerabilities have been addressed in Zoom’s 5.0 update, released in May 2020. Zoom has addressed the vulnerabilities on both the server and client; software on client workstations will need to be upgraded manually.

Our Take

Upgrade your end-user workstations to the latest Zoom software! The patches released by Zoom address issues on the client software distributed and installed on user workstations. Therefore, IT departments are strongly encouraged to roll out the patch as soon as possible and ensure that all users comply with direction to upgrade their software.

Systems administrators can either distribute the update via your organization’s software distribution tools or have end users execute the upgrade on their own. As a standard practice, we recommend conducing a risk assessment of all software patches to identify urgency and to schedule their installation or deployment accordingly.

Stay tuned to Info-Tech’s Tech Briefs; we will report on developments as they transpire.

Other Recent Research in Web Conferencing

Web Conferencing

Briefing: BlueJeans by Verizon

On October 29, 2020, Verizon briefed on BlueJeans’ product vision and direction. This note outlines the new and upcoming features that users can expect from BlueJeans for the rest of 2020 and into 2021. However, with the table stakes margin for features rapidly increasing in the web conferencing marketspace, BlueJeans’ new features are less a way to stand out from the crowd and more as a necessity to keep up.

Web Conferencing

Briefing: Cisco Webex Legislate

On November 5, 2020, Cisco briefed on its upcoming virtual legislative session tool Webex Legislate. With a range of features that governing bodies around the globe have desired throughout the extent of the pandemic, Webex Legislate surely becomes the must-have tool for conducting virtual and hybrid sessions – especially if an agency is already leveraging Cisco products.

Web Conferencing

Cisco Introduces Webex Classrooms and the Webex Control Hub

On September 1, 2020, Info-Tech briefed with Cisco about current and upcoming features of its Unified Webex app for September. Significant changes include the introduction of Cisco Webex Classrooms and the Webex Control Hub, with notable updates also coming to Webex for Education, Webex Meetings, and Webex Teams.

Web Conferencing

Recon Research Highlights Web Conferencing as the Future of the Workplace

Enterprise Connect’s virtual conference and expo for 2020 featured a wide variety of sessions on communications and collaboration for the enterprise. In this fourteenth note of fourteen, I report on Recon Research’s latest study on how COVID-19 has cemented web conferencing as the future of the workplace.