DLL injection in Zoom Opener installer for Zoom and Zoom Rooms clients

Vulnerability

The Zoom Opener installer, downloaded from the Launch meeting page when attempting to join a meeting without the Zoom Meeting Client installed, is susceptible to a DLL injection attack. This vulnerability affects Zoom Client for Meetings for Windows before version 5.10.3 and Zoom Rooms for Conference Room for Windows before version 5.10.3 [1]. The installer loads DLLs in an unsafe manner, allowing an attacker to place a malicious DLL in a location that the installer searches before the legitimate system path.

Exploitation

An attacker must have the ability to place a malicious DLL in a directory that the Zoom Opener installer will search, such as by having write access to a user's download folder or leveraging other system weaknesses. The victim must download and run the Zoom Opener installer by clicking a meeting invite link without having the Zoom client installed. The vulnerable installer then loads the attacker's DLL, executing arbitrary code in the context of the user running the installer [1]. No authentication from the attacker beyond file placement is required, and user interaction is limited to initiating the download and execution of the installer.

Impact

Successful exploitation allows an attacker to run arbitrary code on the victim's host at the privilege level of the user who ran the installer. This could lead to full compromise of the user's data, installation of malware, or further lateral movement within the network. The confidentiality, integrity, and availability of the system are all at risk [1].

Mitigation

Zoom released version 5.10.3 of Zoom Client for Meetings and Zoom Rooms for Conference Room for Windows to fix this vulnerability. Users should update to version 5.10.3 or later immediately [1]. There are no known workarounds; the fix addresses the unsafe DLL loading in the Zoom Opener installer. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.