Zoom Mac Vulnerability: Automating Removal

July 10, 2019

Zoom Mac Vulnerability: Automating Removal

Foreword

Yesterday, a Medium article surfaced a Zero-Day vulnerability on Mac Zoom Client that allows any malicious website to enable your camera without your permission or knowledge.

At The Lifetime Value Company, we incorporate security and privacy into everything we do. This particular vulnerability, which exposes up to 750,000 companies around the world that use the video conferencing app, stood out to us as something that should be addressed immediately.

A quick survey of our Mac inventory showed a majority of our machines had Zoom installed— this is despite the fact that we don’t have our own corporate subscription for the service. So even if you believe your organization isn’t vulnerable because you don’t subscribe to Zoom, it is still likely some of your employees have had Zoom meetings at one point or another.

The TL;DR: Zoom Mac Client installs an “undocumented” web server as localhost on your Mac. This was created to allow “more user-friendly” features such as joining calls with one click. Unfortunately, this opens up the potential of users having their cameras and/or microphones turned on without their knowledge and possible DoS attacks against the user. The worst case scenario would be if someone discovers a critical flaw in the web server allowing remote code execution. There have already been hints of an exploit being developed on twitter.

To make matters worse, uninstalling the Zoom Mac Client does not remove the installed web server. This leaves users potentially vulnerable even after uninstalling the Zoom Client.

Full details can be found in the Medium article:

https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

We’ve notified our employees we are removing Zoom from their Macs but if they have a Zoom meeting with a third party they can join via the ‘in browser’ option.

Disclaimer our lawyer made us add: Please be advised that the below is solely intended for informational purposes and in no way constitutes advice or specific recommendations – please proceed at your own risk.

The Fix

Here is a quick summary of how to fix the issue based on information from the medium article:

Uninstall the Zoom Application
- We’ve seen the Zoom application installed as Zoom.app or us.zoom.app
Kill the process associated with the web server.
- You can use this command to see if a process is running on the Zoom port
- lsof -i :19421
- Kill the process
- kill -9 [process number]
Remove the web server and its directory.
- The web server is located at the ~/.zoomus directory on your Mac

(Additional details can be found in the Medium link above)

Jamf

If you are running a Mac shop there is a good chance you are also using Jamf. At BeenVerified we use Jamf for Mac provisioning, management and security. This allowed us to put together a fix and push it out to our employees very quickly. Below is how we used Jamf to fully uninstall Zoom and the webserver.

Smartgroup

To fix this issue, first we create a Jamf Smartgroup for users with Jamf

Name `Has Zoom’

Application Title ‘has’ Zoom.app or

Application Title ‘has’ zoom.us.app’

The Script

Our CIO created the following script to uninstall the application and the webserver.

Note: In most, but not all, installations we have seen have the webserver running.

Policy

Next we created a Jamf Computer policy.

Have the script run at Recurring Check-In, Once Per Day. Remember, once Zoom is removed the computer will be removed from the Smart Group automatically.

The main Payload is the above script.

Always add the ‘Maintenance’ option to ‘Update Inventory’ for good measure.

Scope the policy to the ‘Has Zoom’ Smart group.