Video conferencing software Zoom is working on patching a zero-day vulnerability that was disclosed online earlier today in a blog post by cyber-security firm ACROS Security. The security firm said the zero-day impacts Zoom’s Windows client, but only when the clients are running on old Windows OS versions, such as Windows 7 and Windows Server 2008 R2 and earlier.
This latest vulnerability is a good reminder that vulnerabilities can have dependencies on other applications and operating systems. It’s best security practice to make sure all the components, including the OS on a system, are up to date — it’s not enough to have just the application up to date.
What makes this case worse is that the OS (Windows 7) involved in this latest vulnerability is one that’s no longer supported by Microsoft. Unsupported code has the added problem that it’s unlikely a fix will be forthcoming. In this case, Zoom may be able to fix their code, but it’s not likely any help will come from Microsoft.