Zoom version 5.13.11 update available

The developers have closed several vulnerabilities in the online conference software Zoom. Some are considered high risk and could allow code smuggling.

Some of the vulnerabilities in the web conference software Zoom are classified as high risk. Some could have enabled attackers to inject malicious code into users or to extend rights in the system. Updates to patch the leaks are available now.

The vulnerability with the highest risk rating relates to saving a local recording to an SMB share and later opening the file using a link from the Zoom web portal. Attackers from adjacent networks could answer client requests with a malicious SMB server and thus foist their own executable files on victims (CVE-2023-22885, CVSS 8.3, 'high risk).

The Windows installer from the Zoom client for IT administrators enabled attackers to extend their own rights in the system. In a chain of attacks, malicious actors could gain system privileges during the installation process (CVE-2023-22883, CVSS 7.2, high). A similar vulnerability can be found in the Mac installer of the Zoom client for IT admins, where local attackers could gain root privileges (CVE-2023-22884, CVSS 5.2, medium).

An update to the Microsoft Edge WebView2 component has made Zoom clients, Zoom Rooms and Zoom VDI vulnerable to an information leak on Windows. The component sent texts to Microsoft's online spell checker instead of local proofreading. To solve the problem, the developers simply turned off the check function (2023-22880, CVSS 6.8, medium).

The vulnerabilities affect Zoom for Android, iOS, Linux, macOS and Windows prior to version 5.13.5, Zoom Rooms for Android, iOS, Linux, macOS and Windows prior to version 5.13.5, Zoom VDI Windows Meeting clients prior to the current version 5.13. 10, Zoom Client for Meetings for IT Admins Windows Installers prior to 5.13.5 and Zoom Client for Meetings for IT Admin macOS Installers prior to 5.13.5.

You can read more about the vulnerabilities in the Security Bulletins on the Zoom website. These also contain more details on the vulnerabilities and the versions specifically affected by them.

Users can download updated software from the Zoom download website.