For those of you who wake up to Zoom Exploit news.
You can set ZoomOpener.app as a Restricted Software.
Kill Process
Restrict to exact process name
Kill Process.
I would not recommend turning on Send Email or Message to the user.
Page 4 / 5
@andrew.nicholas tnx, this did it!
Hello not sure if anyone saw this but Apple actually is removing the web server via silent update. Actually it is done through XProtect.
https://www.macrumors.com/2019/07/10/apple-update-remove-zoom-server/
@kmathern
they deployed an update to MRT (malware removal tool). If a machine has ver. 1.45 of MRT, it is patched to prevent the web server issue. My machine received the update at 9:03am est today automatically pushed and silently from apple.
Hey Guys, I put together a quick post to show you how to manually download only the MRTConfigData v1.45 update AND manually run it using the MRT Binary.
https://mrmacintosh.com/how-to-remediate-the-zoom-vulnerability-with-apple-malware-removal-tool/
@ClassicII Either I'm seeing an odd layout, or it looks like some of the software update commands in your article had the -- (double minus?) replaced with an – (en dash).
Thank you for the heads up! That is exactly what happened, in the code I had - - but it was converted to one -. I changed the formatting to code so shows up properly now. You win the Mr. Macintosh Eagle Eye Award for the day! :)
https://www.jamf.com/jamf-nation/discussions/29561/script-to-install-update-zoom#responseChild187390
The Zoom thing just turned from opening up an unwanted meeting with the camera on to full blown RCE.
https://nvd.nist.gov/vuln/detail/CVE-2019-13567
If you are scoping for only the app in your policies, you may not catch everyone. If users heard of the news and deleted the app the web server still remains!!!
Even worse the MRT Scanner does not until after a reboot.
Update your Machines and Force MRT scanner to run without a reboot!
[EDIT: To support MRTConfigData 1.60.]
We opened a ticket with Apple, they advised we run as daemon (-d).
This script checks MRT version, downloads the update, then runs MRT, then checks the version again:
#!/bin/sh
verString=$( defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString )
# Check MRT version
echo "MRT is version ${verString}."
# Update MRT
echo "Updating MRT."
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.60 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.59 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.58 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.57 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.56 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.55 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.54 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.53 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.52 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.51 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.50 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.49 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.48 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.46 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.45 --include-config-data 2>/dev/null
# Run as daemon
#echo "Running MRT as daemon."
#/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -d
# Check MRT version
echo "MRT is version ${verString}."
exit 0EA for reporting:
#!/bin/sh
MRTvers=$( /usr/bin/defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString )
echo "<result>$MRTvers</result>"We have a Smart Computer Group that reports on computers having 1.4.5 thru 1.60 for a bit of future proofing.
However, would not exclude any computers, since MRT might be up to date but not have run.... :)
Thanks @ClassicII for your awesome blog, Apple likes it too!
Looks like a tweaked version of the client is out...
4.4.55313.0714
Hey guys
So if I wanted to just see my affected users, I could run that handysmart group check that @balexander posted, correct? And then we can just run the MRT update script to every computer in our environment to make sure we're all good yeah? Apologies as I am literally just getting back from vaycay and making sure I got everything haha. I want to ensrue there is nothing else I am missing. Besides the MRT to everyone, is there anything else I should ensure we run?
that should do it. and to be honest, at this point MRT has probably updated on any machines that have been online the past week or so. It seems to happen pretty quickly and automagically. also; just checked and looks like the current MRT version is still 1.45, so you can keep that value for the smart group value.
MRT 1.46 and Gatekeeper 172 were released late yesterday afternoon
i see posts everywhere about 1.46, but am not seeing it actually being available yet. weird.
I was able to get 1.46 (and new Gatekeeper) with:
softwareupdate -i -r --include-config-data
MRT 1.46 and Gatekeeper 172 were released late yesterday afternoon
Would be nice if Apple provided an MRT release notes page.
yeah @kfbbt if i run /usr/sbin/softwareupdate -i MRTConfigData_10_14-1.46 --include-config-data
it updates to 1.46 just fine.
We have a reposado server. Agree @donmontalvo . How you holding up out there buddy
oh and here's another zoom update for ya
zoom.us v 4.4.55387.0716
is zoom the new flash?
dueces
Or for the love of.....
https://9to5mac.com/2019/07/16/ringcentral-and-zhumu-macos-update/
apparently 1.46 was pushed because everything is poisonous and all software vendors are against us :)
Nix4Life...The new flash. 4.4.55387.0716 released without release notes and/or notice. Thanks Zoom!
This zoom thing keeps on going!!!
10 more Zoom Vulnerabilities and a new RCE found.
- /.ringcentralopener
- /.telusmeetingsopener
- /.btcloudphonemeetingsopener
- /.officesuitehdmeetingopener
- /.attvideomeetingsopener
- /.bizconfopener
- /.huihuiopener
- /.umeetingopener
- /.zhumuopener
10./.zoomcnopener
I tried to put all this new stuff on Zoom and MRT in a big Index of Information and links for you.
https://mrmacintosh.com/zoom-vulnerably-round-2-10-more-variants-index-of-mrt-links-info/
Wow, updated script to support 1.47, but holy mudder of gawd, what a mess.
@Nix4Life zoom.us is killing me man...killing me...haha
No kidding @donmontalvo !!!!
I mean how many different Zoom variants are out there? We are now at 14 total, you would think zoom would know exactly how many exist.
Hey all!
Apoliogies for sounding pretty inept at folowing this, but for someone just getting back from a vaycay and seeing this all, Im trying to make sure im current haha...
So to ensure I nail down which of my end users are affected by this, I can run a smart group check, and set it up like @balexander did? (thank you so much for that!)
And then is it simply a matter of running a script like the one in the deflounder page and then ensure the MRT update is run on all computers? Would that be an effective way of going about this? Am I doing too much? too little? Apologies as I work in a k-12 so we want to ensure we get everyone taken care of.
Thanks so much for any help
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.