[MacTUG] Zoom Remote Support Exploit on MacOS

Stephen Markan smarkan at connect.uwaterloo.ca
Wed Jul 10 10:51:46 EDT 2019 

The information below was brought to our attention from Mike Patterson of IST Security Operations Centre and we are sharing with IT groups that may need to assist end-users.

An exploit for the Mac version of Zoom.us<http://Zoom.us> has been made public.
If you don't know what Zoom is, it is similar Cisco WebEx.  Most often it is used by vendors to provide tech support of the "let me type on your keyboard for you".

The short version for remediation is
1) If you have zoom installed, upgrade immediately.
2) If you've ever had zoom installed, but deleted it, install the latest version and then uninstall it to get rid of any vestiges.

The TL:DR information is
The exploit works as follows:
I send you a link (or embed a hidden iframe in a site) that will automatically launch the Zoom client and, depending on how you've used it before, perhaps automatically enable your camera and/or microphone. If you've deleted the application but not completely cleansed it from your system, it can also force a reinstall of the client.

Zoom is downplaying the significance of this as the user will be prompted to start the client. However people will blindly click ok or yes to things that pop up. A fix has been released.
It's also likely that the associated local webserver Zoom installs - and persists until manually killed - has other security vulnerabilities yet to be disclosed.

Uninstalling the application is trivial for a Unix admin, not so much for people who aren't. The first step is what everybody knows, drag out of /Applications into Trash. Then you need to kill the webserver. There's two ways to do this, one requires a reboot.

Non-reboot way:
open terminal, run:
lsof -i : 19421
and you should get a single line of output; there will be a command line, and then a number, which is the PID. You then type
kill <pid number>
Then
rm -rf .zoomus

Reboot way:
open terminal, do the rm command, then reboot.

Further details are here:
https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

If you have an questions about this vulnerability please contact the Security Operations Centre at x41125 or email soc at uwaterloo.ca<mailto:soc at uwaterloo.ca>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20190710/0f8d3f71/attachment.html>

More information about the MacTUG mailing list