Annual Pwn2Own Contest Reveals No User Interaction Zoom Remote Code Execution


Pwn2Own is an annual contest held by the Zero Day Initiative providing a contest for hackers and researchers around the world a chance to win substantial monetary reward for producing never before seen exploits for some of the most used software and hardware, with the goal of assisting software providers in the security of their products.

This year Zoom came under the microscope by Daan Keuper and Thijs Alkemade from Computest. They were able to exploit Zoom messenger with a three bug chained attack obtaining remote code execution not requiring user input. As of this writing it is known to work in the Windows and Mac client versions of zoom and has yet to be proven effective in iOS or Android apps. Zoom was contacted internally and are in the process of producing a patch to cover this vulnerability. A suggested work-around is to use the browser version of Zoom client on Windows or Mac.

Read more…