The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to write to this directory, and can write links to other directories on the machine. As the installer runs with SYSTEM privileges and follows these links, a user can cause the installer to delete files otherwise not deletable by the user.
CVSS v3.0 Severity and Metrics
Base Score: 8.4 (High Severity)
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
Zoom implemented a fix for this issue in the Zoom IT installer for Windows version 4.6.10 published on April 7, 2020.
April 7, 2020 version 4.6.10 (20033.0407)
Download Type: Prompted
Changes to existing features
Remove the meeting ID from the title bar
The meeting ID will no longer be displayed in the title bar of the Zoom meeting window. The meeting ID can be found by clicking on the info icon at the top left of the client window or by clicking Participants, then Invite.
Invite button under Participants
The button to invite others to join your Zoom meeting is now available at the bottom of the Participants panel.
Local file transfer in meeting chat
The feature file transfer in meeting chat has been re-enabled. Third-party file transfers and sharing clickable links are still disabled.
Automatic prompt to share reports and logs if Zoom client crashes
Users will be asked if they would like to share reports and logs with Zoom if their Zoom client crashes. This feature can be disabled by admins.
New and enhanced features
- Security icon in host’s meeting controls
The meeting host will now have a Security icon in their meeting controls, which combines all of Zoom’s existing in-meeting security controls into one place. This includes locking the meeting, enabling Waiting Room, and more. Users can also now enable Waiting Room in a meeting, even if the feature was turned off before the start of the meeting.
Fixed CVE-2020-11443, thanks to the Lockheed Martin Red Team
Minor bug fixes