Critical Zoom security flaw lets hackers take over your PC: What to do [updated]

Zoom
(Image credit: NurPhoto / GettyImages)

Updated with news of a patch from Zoom.

There's a big flaw in the Zoom meeting software for Windows that could let hackers take over your computer, and there's no official patch available yet. [Update: Now there is.] But the good news is that only PCs running Windows 7 or earlier versions of Windows are at risk.

That still leaves millions of people vulnerable, however, as many computers have not been, or can't be, upgraded to Windows 8.1 or 10. 

If you're one of those people, it might be best for now to use Zoom in a web browser or on a phone instead using the Windows Zoom client application. (Instructions on how to join a Zoom meeting from a web browser below.)

"The vulnerability allows a remote attacker to execute arbitrary code on [the] victim's computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file," wrote Mitja Kolsek of Slovenian security firm Acros on an official company blog yesterday (July 9). "No security warning is shown to the user in the course of attack."

Kolsek didn't get into further technical details, but the blog post included a video showing an exploit of the vulnerability in action.

The Zoom flaw was reported to Acros by a security researcher who apparently wants to remain anonymous. Acros in turn reported the flaw to Zoom. 

A Zoom spokesperson told ZDNet that "we have confirmed this issue and are currently working on a patch to quickly resolve it."

Acros has its own skin in the game because it specializes in crafting and distributing "micropatches" for common software flaws before the actual software makers get around to fixing the problems. 

In general, only enterprise customers who subscribe to Acros' 0patch service can get those micropatches. But Acros is making the micropatch for this Zoom flaw available for free until Zoom comes up with its own fix (or decides not to fix it).

We have mixed opinions about the worthiness of installing Acros' micropatch. The company's developers doubtlessly know what they're doing, but you'd still be adding unofficial code to a software product that has not been authorized or analyzed by the software's actual developers.

How to join a Zoom meeting from your browser

Again, it might just be best to log into Zoom meetings using your web browser. You can do so by simply clicking a Zoom meeting link in a Zoom invitation, or copying and pasting the link into your browser's address bar.

When the web page loads, you'll likely see a pop-up window asking for permission to launch your installed Zoom Meetings client software, or to install the Zoom meeting client software for our operating system. Ignore those suggestions and hit "Cancel" instead. 

Then click the Launch Meeting text in the web page, and the same pop-up will appear again. Hit "Cancel" again. 

Look at the web page again, and you'll see that a new line appears stating that "If you cannot download or run the application, join from your browser." Click "join from your browser" and you'll be shepherded through the sign-in process.

How to install Acros' micropatch

According to Kolsek's blog post, to obtain the micropatch for the Zoom Windows client, you'll need to sign up for a 0patch account at https://central.0patch.com, then install the 0patch Agent software

Kolsek wrote that once the 0patch Agent is installed, the Zoom micropatch will be downloaded and installed automatically, and that no system restart will be needed.

The micropatch works on Zoom for Windows versions 5.0.3 through 5.1.2.

Update: Zoom releases a patch

A Zoom spokesman reached out to us later Friday (July 10) to note that Zoom had issued a patch for this flaw.

"Zoom addressed this issue, which impacts users running Windows 7 and older, in the 5.1.3 client release on July 10. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.