Zero-day flaw found in Zoom for Windows 7

A hacker who successfully exploits the Zoom vulnerability could access files on the vulnerable computer, according to ACROS Security, the Slovenian firm that highlighted the issue.
Zoom videoconference, video chat, app, application, telework
The Zoom app. (Scoop News Group)

A previously unknown flaw in the videoconferencing software Zoom could allow a hacker to remotely commandeer computers running old versions of the Microsoft Windows operating system, security researchers said Thursday.

A hacker who successfully exploits the vulnerability could access files on the vulnerable computer, said Mitja Kolsek, chief executive of ACROS Security, the Slovenian cybersecurity firm that highlighted the issue. “If the user is a local administrator, the attacker could completely take over the computer,” Kolsek told CyberScoop.

The “zero-day” vulnerability applies to Zoom software running on Windows 7, or even older operating systems.

Microsoft has tried to phase technical support out for Windows 7 in an effort to encourage users to upgrade to more secure operating systems. But Windows 7 is still widely used, and some organizations have struggled to move their computers to the latest Windows software en masse.


Kolsek said he was holding off on publishing a full exploit for the vulnerability until Zoom gets it fixed. His company offered free mitigations for the issue, he said.

After acknowledging the vulnerability on Thursday, Zoom said Friday that it had release a patch for the flaw.  “Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates,” a company spokesperson said.

The software bug is the latest security challenge for Zoom, whose popularity has soared around the world as people telework during the coronavirus pandemic. Zoom had about 200 million daily meeting participants in March.

The San Jose, California-based company has hired new security personnel in an effort to respond to increased scrutiny of its code from outside researchers. After criticism of its decision to charge users for an end-to-end encryption service, Zoom reversed course last month and offered it for free.

UPDATE, 07/10/20, 11:41 a.m. EDTThis story has been updated with a statement from Zoom. 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts