Google Project Zero security researcher Ivan Fratric launched a remote code execution attack by exploiting the technology underlying Zoom and other applications.
Fratric's exploit targets bugs in XMPP, an XML-based instant messaging-like protocol. The method involves embedding pieces of XMPP code, or stanzas, within other XMPP stanzas. The attacker is then able to use a client to smuggle stanzas within legitimate messages, which are accepted and passed on by the intermediate server but interpreted as two stanzas by the victim's IM client.
Fratric alerted Zoom, which has issued patches, but Fratric warned that other targets also are vulnerable to XMPP bugs.
From PC Magazine
View Full Article
Abstracts Copyright © 2022 SmithBucklin, Washington, DC, USA