Zoom Announces Critical Vulnerability for Desktop Application

Zoom, the widely used video conferencing platform, has recently patched a series of vulnerabilities in its desktop and mobile applications, including a critical flaw in its Windows software. Here’s a detailed look at the situation, the actions taken by Zoom, and recommendations for users and organizations to enhance their security posture. 

Tell me more about the Zoom vulnerabilities 

Zoom has identified seven vulnerabilities across its desktop and mobile applications, with a particularly critical vulnerability found in the Windows version of its software. The Zoom Windows vulnerability, known as CVE-2024-24691, is rated 9.6 on the CVSS scale, indicating its severity. It involves improper input validation, which could potentially allow an attacker with network access to escalate privileges without authorization. 

Another notable vulnerability is CVE-2024-24697, a high-severity issue that could allow for privilege escalation through local exploitation without the need for authentication. This and other vulnerabilities highlight the potential risks associated with using Zoom’s applications without the latest security updates. 

In response to these findings, Zoom has released patches to address the vulnerabilities and recommends that users update their applications to the latest versions. This proactive approach aims to mitigate security risks and protect users from potential exploitation. 

What is Nuspire doing?  

At Nuspire, we are committed to ensuring the security of our clients. We actively apply patches in accordance with vendor recommendations and threat hunt client environments for indications of compromise. Our team is constantly monitoring the situation and will provide updates as necessary. 

How should I protect myself from Zoom vulnerabilities? 

To ensure the security of their systems, users and organizations utilizing Zoom’s Windows applications are advised to take immediate action: 

• Update all Zoom applications: It’s crucial to update the Zoom Desktop Client, Zoom VDI Client, Zoom Rooms Client and Zoom Meeting SDK for Windows to the latest versions as specified by Zoom. Directions for configuring automatic updates on Zoom can be found here.

• Specific updates for CVE-2024-24691: Users should update to at least version 5.16.5 of the Zoom Desktop Client for Windows, version 5.16.10 of the Zoom VDI Client for Windows (avoiding certain older versions), version 5.17.0 of the Zoom Rooms Client for Windows and version 5.16.5 of the Zoom Meeting SDK for Windows. 

• Addressing CVE-2024-24697 and related vulnerabilities: Ensure that updates are applied to version 5.17.0 or later of the Zoom Desktop Client for Windows, version 5.17.5 of the Zoom VDI Client for Windows (excluding specific versions) and the latest versions of the Zoom Meeting SDK and Zoom Rooms Client for Windows.