How to Remediate the Zoom Vulnerability with Apple Malware Removal Tool

Zoom Vulnerability / Exploit and RCE

UPDATE: 07/18/19 – I put together a new blog update that includes 14 total Zoom Variants, New MRTConfigData 1.47 along with new information, fixes and links! – mrmacintosh.com/zoom-vulnerably-remediation-14-total-variants-index-of-mrt-links-info/

Yup, the Zoom Vulnerability has been THE talk of the MacAdmins community for the past 2 days. This stuff moves very fast and you have to keep an eye out! We will be The vulnerability was first released by Jonathan Leitschuh. This is not just Zoom but also Ringcentral and possibly BlueJeans. A statement Link from BlueJeans is below.

• medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
• nvd.nist.gov/vuln/detail/CVE-2019-13450
• nvd.nist.gov/vuln/detail/CVE-2019-13567
• theverge.com/2019/7/8/20687014/zoom-security-flaw-video-conference-websites-hijack-mac-cameras
• support.bluejeans.com/s/article/BlueJeans-Detector-Service

How do I remediate CVE-2019-13450?

Below are three options you can look through.

• Option #1 Install Updated Zoom.app
• Option #2 Option #2 Apple MRT – Malware Removal Tool
• Option #3 Manual Removal + Scripts and links

Option #1 Install Updated Zoom.app 4.4.53932.0709

Install the new version of Zoom zoom.us/support/download

This version should remove everything including the WebServer installed to ~/.zoomus

From blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/

Tuesday, July 9
Zoom issued an update to our Mac app with the following:
Removed the local web server via a prompted update 
Allowed users to manually uninstall Zoom. This new option to the Zoom menu bar allowed users to manually uninstall the Zoom client, including the local web server. A new menu option says, “Uninstall Zoom.” By clicking that button, Zoom’s app and web server are removed from the user’s device along with the user’s saved settings

Wednesday, July 10
Apple issued an update to ensure that the Zoom web server is removed from all Macs, even if the user did not update their Zoom app or deleted it before we issued our July 9 patch. Zoom worked with Apple to test this update, which requires no user interaction. 

Weekend of July 13
We have a planned release for the weekend of July 13 that will address video on by default. With this release, first-time users who select “Always turn off my video” will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. (Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings.)

Option #2 Apple MRT – Malware Removal Tool

Apple in a very quick move released MRTConfigDat 1.45 at 5PM CST yesterday. According to TechCrunch

techcrunch.com/2019/07/10/apple-silent-update-zoom-app/

The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom  quietly installed on users’ Macs when they installed the app.
Apple said the update does not require any user interaction and is deployed automatically.

TechCrunch

Apple’s Malware Removal Tool will update on all 10.11, 10.12, 10.13 & 10.14 within 24 Hours

As long as you have sofwareupdate set to Automatically Check for Updates, Download New updates in the background & Install System Data Files and Security Updates. NOTE: 10.11 does not have the include-config-data option so you have to run sudo softwareupdate -ia -background

I need the update now!

Got you covered! You can use softwareupdate to manually install MRTConfigData 1.45. You can run this to list all available Xprotect Updates.

• softwareupdate -l --include-config-data

To install the update you can run

• softwareupdate -i MRTConfigData_10_14-1.45 --include-config-data

I am not sure yet if just installing the new update actually activates and runs MRT or not. This command works great because it ONLY installs the called out update. If you use softwareupdate -l --include-config-data it will install ALL softwareupdates including combo and Safari ETC.

Verify that you have 1.45

• defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

To force MRT to update run

NOTE: If you are trying to run MRT.app remotely over ssh or by using an MDM, it needs to run as the logged in user at least in 10.14. In 10.12 and 10.13 MRT seems to run fine no matter the user. You can use the 2 lines of code below to get the logged in user then run the command as the user. The error you will get in 10.14 will say failedToReceiveProfileList.

Manual Command that you can run if you are logged in as the user.

• /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a

Hat Tip to AndyInCali on MacAdmins Slack for the MRT -a !!!

Option #3 Manual Removal + Scripts and Links

Rich Trouton wrote a great script to manually remove zoom’s WebServer.

NOTE: Keep in mind trashing the app will NOT remove the ~/.zoomus Web Server. You will either need to kill the process and then overwrite the file like in Rich’s Script below or wait for MRT or install the new version which removes the Web Server.

derflounder.wordpress.com/2019/07/10/zoom-vulnerability-and-remediation-script/

You can follow a long thread on Jamf Nation

.jamf.com/jamf-nation/discussions/32561/zoom-exploit

You can also talk about the Zoom Vulnerability and join the #zoom channel in MacAdmins Slack.