Ivan Fratric of Google Project Zero is credited with discovering and reporting four Zoom flaws in February 2022. Video conferencing giant Zoom has resolved the vulnerabilities in their latest version (5.10.0) and urges all users to upgrade immediately in order to mitigate potential threats (The Hacker News).The four Zoom flaws in question ranged from 5.9 to 8.1 in severity.Zoom first reported on CVE-2022-22784 (severity 8.1), explaining that “The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving user’s client perform a variety of actions. This issue could be used in a more sophisticated attack to forge XMPP messages from the server.” (Explore.zoom.us)Regarding CVE-2022-22785 (severity 5.9), Zoom reported, “The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send a user’s Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.” (Explore.zoom.us)As for CVE-2022-22786 (severity 7.5), Zoom reported, “The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.” (Explore.zoom.us)And for CVE-2022-22787 (severity 5.9), Zoom reported, “The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly validate the hostname during a server switch request. This issue could be used in a more sophisticated attack to trick an unsuspecting user’s client to connect to a malicious server when attempting to use Zoom services.” (Explore.zoom.us)What You Can DoFor all four Zoom flaws, upgrading to Zoom 5.10.0 (or newer) will negate the vulnerability. If you are an Acumen Managed Services client, you will receive these updates automatically. If you are not a Managed Services client, we recommend that you update all Zoom installations in your business and at home. Please inform your friends and family of this vulnerability. Visit https://zoom.us/download to get the latest version.