Zoom zero-day a reminder to stop using Windows 7

Zoom users who – despite all warnings and exhortations to upgrade – also continue to use the Microsoft Windows 7 operating system, have been warned of a potential risk to their security following the discovery of a remote code execution zero-day vulnerability in the Windows Zoom client.

According to Mitja Kolsek of 0patch, a platform designed to distribute microscopic patches to running systems – who was informed of the vulnerability by an independent researcher who wants to remain anonymous – the vulnerability would let a remote attacker execute arbitrary code on their target’s PC if the Zoom Client for Windows was installed on it – typically by getting them to open a malicious file attachment.

Writing on 0patch’s disclosure blog, Kolsek said that analysis of the zero-day had shown it is only exploitable on Windows 7 (and older systems), which is now out of support, although millions of consumer and enterprise users are still prolonging their use of it. The vulnerability has been disclosed to Zoom via its bug bounty programme.

0patch has already been able to create a small patch to remove the vulnerability in four different places in the code, which has been ported from the latest version of Zoom for Windows – 5.1.2 – back to version 5.0.3, which was released on 17 May 2020. These have been distributed already, so 0patch users are not affected by the issue. Kolsek said the micropatch would be made available for free until such time as Zoom addressed the issue and added that he had chosen not to publish full technical details of the zero-day at this time to prevent possible exploitation.

Importantly, he added, the vulnerability affects versions of Windows 7 that are currently being covered by Microsoft’s Extended Security Updates. It may also exist on Windows Server 2008 R2, although this has not been tested.

Chris Hauk, consumer privacy champion at Pixel Privacy, said: “While many observers may lay this issue at the feet of the Zoom developers, the security horror show that is Windows 7 and earlier versions of the operating system cannot be ignored.

“Users running as local administrators on Windows are asking for security challenges like this [and] unfortunately, Windows 7 is still in use by numerous users as companies have struggled to move to Windows 10,” said Hauk.

Boris Cipot, senior security engineer at Synopsys, added: “Although Microsoft Windows 10 makes up the majority of existing Windows operating systems, there is still a substantial number of Windows 7 systems in use. What is most concerning is that many using these older systems are, in fact, governmental and public sector infrastructures.

“The good news is that Zoom has acknowledged this vulnerability as critical and are already working on a way to remediate it. However, the question now is, what will impacted users do to avoid the risk of exposure? Since the discovery of this vulnerability, Zoom has not yet had the time to repair it. As such, users are advised to be careful. As Zoom is easy to reinstall, users would do well to remove Zoom from affected machines, and then reinstall it once the threat has been removed.”

Brian Higgins, a security specialist at Comparitech, also said he was not at all surprised that Windows 7 users were finding themselves vulnerable to more and more security issues, and urged laggards to ramp up their migration process.

“However expensive it is to upgrade to supported software, it’s still got to be better than leaving yourself, your devices, or even your organisation open to anyone who wants to download a bit of malware and take a pop at you,” he said.

Update: As of 15 July 2020, Zoom has made its own update available to address this issue. A spokesperson said: "Zoom addressed this issue, which impacts users running Windows 7 and older, in the 5.1.3 client release on July 10. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download."