It appears that Gloox, a relative low-level XMPP-client C library, rolled much of its Unicode and XML parsing itself, which made such vulnerabilities more likely. There maybe good reasons to not re-use existing modules and rely on external libraries, especially if you target constraint low-end embedded devices, but you should always be aware of the drawbacks. And the Zoom client typically does not run on those.
I just kind of love that Zoom uses XMPP, which I had no idea about. Big fan of XMPP as an unsung hero of the messaging realm.
Without federation it’s as heartwarming as knowing that Apple’s App Store interface is a WebView.
Did they switch to HTML? People always claimed that the itunes store was HTML but it was a custom format with a custom renderer.
Facebook Messenger also uses it internally, or at least it did at some point. Now if only all the XMPP users actually federated…
It did, but it’s all MQTT these days
I don’t understand why this was reported on the Chromium bug tracker. At first I thought it would affect people using the WebRTC version of Zoom, but since it references an XML library written in C++, I don’t think the in-browser Zoom client could use that. Was the WebRTC version safe all along by using a better XML parser, or maybe just by omitting the vulnerable features altogether? There’s certainly no way to download an updated installer.exe in it.
The vulnerability was discovered by Project Zero, which is Google’s vulnerability research team. They do their bug tracking using the Chromium issue tracker, which is why it was reported there.
That’s weird! Thanks for the explanation though.