Skip to Main Content

Outdated Zoom 4.6.12 Client Could Allow for Arbitrary Code Execution

Zoom has released to public knowledge of various vulnerabilities that have been patched by Zoom in its latest 5.0.5 version series. The vulnerabilities in Zoom client could allow for arbitrary code execution and in the Giphy feature of arbituary file write. Zoom is a video conferencing solution that for Windows, macOS, and Linux systems. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code as the root user on an affected device. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

System Affected 

Zoom Client prior to 4.6.12
RISK: HIGH

Recommendations

Update Your Zoom Client to the latest version now 5.05 is available to for update. For more information on the latest version review Zoom’s summary of the latest updates, as well as UCLA’s latest guidance for using Zoom, and to update your desktop client today.

Simple instructions for checking whether you have the latest version and easily updating your software can be found in Step 2 on our Zoom Security Settings information page.

If you encounter any issues, please email the IT Support Center at help@it.ucla.edu. Faculty and staff can also contact their department’s local IT team, and students can email help@it.ucla.edu or call 310-267-4357 (7HELP).

Security Best Practices 

  • DO NOT download, accept, or execute files from un-trusted or unknown sources.
  • Apply the Principle of Least Privilege to all systems and services.

Public Knowledge Reference
 

Cisco Talos: