The Zoom Client for macOS prior to version 4.4.52595.0425 and after version 4.1.27507.0627 includes a ZoomOpener helper application that was created to reduce the number of steps required to join a Zoom meeting and to update a Zoom client for users of the Safari 12 browser. The ZoomOpener in the referenced version ranges contains a vulnerability due to improper input validation and lack of validation of downloaded software. An attacker could leverage this vulnerability to cause malicious software to be downloaded to the user’s device. A successful exploit would only be possible if the Zoom Client had been previously uninstalled.
Zoom implemented a fix for this issue in the Zoom Client for macOS version 4.4.52595.0425 published on April 28, 2019. Further, the vulnerable ZoomOpener component was removed in the Zoom Client for macOS version 4.4.53932.0709 published on July 9, 2019.
CVSS v3.0 Severity and Metrics
Base Score: 7.5 (High Severity)
Attack Vector: Network
Attack Complexity: High (depends on conditions outside the attacker’s control)
Privileges Required: None
User Interaction: Required
Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Note: CVSS score may differ from that published in NVD due to differences between analysts in impact assessment or other calculation components.