Update 11:03am CT: In an email to the Daily Dot, Zoom said it had fixed the patch
“Zoom addressed this issue, which impacts users running Windows 7 and older, in the 5.1.3 client release on July 10. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates.”
The original story appears below.
A vulnerability in the popular videoconferencing app Zoom has been discovered in computers running older versions of the Windows operating system.
The “zero-day”—or a previously unknown vulnerability—flaw was flagged by cybersecurity firm ACROS Security on Thursday.
In a blog post, ACROS Security wrote that they were made aware of the vulnerability by a researcher who wished to remain anonymous.
The vulnerability affects computers running Windows 7 or an earlier version of the operating system. It does not affect Windows 8 or 10, ACROS wrote.
The flaw allows for a hacker to “execute arbitrary code on victim’s computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file,” Mitja Kolsek, of AROS Security wrote in the blog post.
Kolsek added: “No security warning is shown to the user in the course of attack.”
ACROS Security demonstrated how it would work in a video. As an example used by the firm, a user could simply click on the “start video” button to trigger the vulnerability.
Zoom has said it is working to issue a patch for the vulnerability.
“Zoom takes all reports of potential security vulnerabilities seriously,” a Zoom spokesperson told the Daily Dot. “Yesterday morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it.”
While Microsoft stopped supporting Windows 7 earlier this year, the operating system is still widely used.