According to recent reports, a Zero Click Zoom vulnerability could have exposed users’ data making the clients susceptible to all sorts of cyberattacks.
Although the flaws have now been fixed, they speak to the growing concerns around such cyber attacks, which spiked during the pandemic.
While most of the spyware requires the victim to click on a certain link or open a certain attachment, zero-click vulnerabilities, as the name suggests, target the victim’s devices by sending a message to their phone that produces no notification. Hence, users do not even need to touch their phones for the malware to take action.
While Zoom users do have the option to turn on end-to-end encryption for their calls on the platform, which would keep an attacker from surveilling their communication, this doesn’t stop a hacker from accessing the users’ call logs in case they didn’t enable that protection.
Google’s Project Zero researcher Natalie Silvanovich published an analysis of such security threats. Silvanovich found two different kinds of bugs, with one being a buffer overflow issue that impacted both Zoom clients and Zoom Multimedia Routers (MMRs), and the other being an information leak security flaw central to again, the MMR servers.
The report also mentioned the requirement of an Address Space Layout Randomization (ASLR), a security mechanism to protect against memory corruption attacks. The vulnerabilities were reported and fixed on November 24, 2021. Zoom has since enabled ASLR.