Zoom vulnerabilities impact clients, MMR servers

Zoom vulnerabilities impact clients, MMR servers.

Google researchers looked into the videoconferencing software’s now-patched flaws. According to experts, two vulnerabilities recently disclosed to Zoom might have led to remote exploitation in clients and MMR servers. Natalie Silvanovich, a Project Zero researcher, presented an analysis of the security issues on Tuesday, the outcome of a probe sparked by a zero-click attack on the videoconferencing tool displayed at Pwn2Own.

“In the past, I hadn’t given Zoom much thought because I assumed that any attack on a Zoom client would necessitate many clicks from the user,” the researcher added. “However, even if it takes numerous clicks, it’s likely not that difficult for a dedicated attacker to persuade a target to join a Zoom conversation, and the way some businesses employ Zoom creates fascinating attack possibilities.”

Silvanovich discovered two bugs: one was a buffer overflow issue that affected both Zoom clients and Zoom Multimedia Routers (MMRs), and the other was a security flaw in MMR servers that exposed information.


There was also a lack of Address Space Layout Randomization (ASLR), a security feature that protects against memory corruption attacks.

“ASLR is likely the most significant mitigation in preventing memory corruption exploitation, and most other mitigations rely on it to be effective,” Silvanovich said. “In the vast majority of software, there is no legitimate reason for it to be disabled.”

The researcher believes the issues are “particularly concerning” because MMR servers process call material, including audio and video, and that if they were compromised, any virtual conference without end-to-end encryption enabled would have been vulnerable to eavesdropping.

The researcher did not complete the entire attack chain, but believes that with enough time and “adequate investment,” a determined attacker might do so.

On November 24, 2021, the vendor was notified of the vulnerabilities, and they were patched. Since then, Zoom has enabled ASLR.

Because Zoom allowed customers to set up their own servers, it was feasible to uncover these issues; but, the “closed” structure of Zoom – which does not incorporate open source components like WebRTC or PJSIP like many other comparable products – made security vetting more difficult.

This required paying close to $1500 in licence costs for the Project Zero team, a price that others, particularly independent researchers, may not be able to afford.

“These roadblocks to security research are likely preventing Zoom from being researched as frequently as it could be, perhaps resulting in basic issues getting undetected,” Silvanovich added. “Security researchers and others who seek to use closed-source software have unique security challenges, and Zoom might do more to make their platform accessible to them.”


IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.

This site is under maintenance,
some features might not work!!!