Zoom version 5.11.9 update available

The update fixes several critical vulnerabilities.

There are some critical security vulnerabilities in several zoom variants, some of which are critical. The now available updates should fix these.

The updates to fix the privilege escalation vulnerability in the Mac client have so far been insufficient, so Mac users have to update the client again.

Attackers could inject malicious code into the Zoom Client for Meetings for Android, iOS, Linux, macOS and Windows because the software fails to evaluate URLs. The error can occur when users access a maliciously crafted meeting URL. The link could allow users to connect to any network address, opening the possibility of further attacks such as launching executable files from any directory (CVE-2022-28755, CVSS 9.6, risk critical). Zoom VDI Windows Meeting Clients version 5.10.7 and up fixes the vulnerability.

Attackers could escalate their privileges in Zoom Rooms for Conference Rooms for Windows prior to the current version 5.11.9 (CVE-2022-28752, CVSS 8.8, risk high). The fix for the vulnerability that allowed attackers to escalate their privileges in the Auto-Updater of Zoom Client for Meetings for macOS (CVE-2022-28756) was insufficient. A variation of the attack bypassed the fix (CVE-2022-28757, CVSS 8.8, risk high). Zoom Client for Meetings for macOS version 5.11.6 should close the vulnerability.

Another vulnerability in the on-premise version of Zoom Meeting Connector Zone Controller prior to version 4.8.20220419.112 may crash due to improper processing of STUN error messages due to memory corruption, denial of service is possible. For versions prior to 4.8.12.20211115, malicious actors could even inject malicious code (CVE-2022-28750, CVSS 7.5, risk high).

Additionally, in Zoom On-Premise Meeting Connector MMR prior to version 4.8.129.20220714, attackers could join meetings to which they were invited due to insufficient access controls. However, they can bypass the waiting room, grant themselves entry, assume the host role, and otherwise disrupt the meeting (CVE-2022-28753+CVE-2022-28754, CVSS 7.1, risk high).

The updates are available on the Zoom download page. For admins of an on-premise Zoom Meeting Connector, the company provides instructions on how to update. Administrators and users should quickly ensure that the current versions are in use so that cybercriminals or malicious employees do not have a target for attack.

about author