Zoom Exploit

@andrew.nicholas I am seeing that on some older test machines as well.

Has anyone found that setting ZDisableVideo in /Library/Preferences/us.zoom.config.plist disables video completely?
I'm seeing weird behavior in that the user can't click "Start Video" after joining a meeting.

I had that experience @jtrant. Was resolved by a reinstall of the zoom app, but I'm unclear on why it happened or if I can expect it to happen when I roll out the fix to the larger group of users.

I've tried everything in this post, but nothing seems to work. Any other suggestions?

@jtrant Looks that way. This whole thing has gotten to be a bit of a cluster to be honest as it seems no one has a truly great idea of the application management capabilities and the application itself seems to be a pandoras box of fun. According to a post in the similar thread on /r/sysadmin they will be releasing a patch by midnight tonight.

Added this to my script to remove Zoom in the User's Application folder (~/Applications/)

#!/bin/sh
#Removes user downloaded Zoom
if [ -e /Users/*/Applications/zoom.us.app ]; then
rm -rf /Users/*/Applications/zoom.us.app
fi

#Remove .zoomus for all users

if [ -e /Users/*/.zoomus ]; then
rm -rf /Users/*/.zoomus
fi

At least it's not just me.

So through testing and a ton of help from the macadmins slack group the issue seems to be that if you have installed the public desktop version of zoom and run

defaults write /Library/Preferences/us.zoom.config.plist 1

The public version of zoom does not repect that plist, only the ITAdmin download of zoom will respect that plist. Now how do we figure out which version a user has.

I'm in the same boat as @ageevarughese . Tried everything, and the video function is still enable. Upload the customer plist and same result.

Cloud it be disable via Zoom admin console?

Sorry if I missed this being mentioned already, but what about removing the right to the camera from Security and Privacy in System Preferences to not allow Zoom access to the camera?

In addition to my last post - I've been able to use the composer application to create a new pkg file which you can then push out via Jamf. Confirmed working and not having the video issues mentioned above.

@andrew.nicholas your bit to figure out the home dir is slightly off. Your missing /Users/ before the user name. You have:

currentUserHome=$( dscl . read "$currentUser" NFSHomeDirectory | awk '{print $2}')

Should be: currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')

Otherwise the variable is blank.

The road we are taking is to package up the Zoom IT Installer, along with the plist, drop into /tmp and then install that. We are scoping any machine with Zoom installed regardless of version. Kind of heavy handed, but it gets it done. And the postinstall script that does the installation also deletes the web server folder and creates a new folder that is locked:

#!/bin/bash
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')

/usr/sbin/installer -pkg /tmp/ZoomInstallerIT.pkg -target /

# Delete webserver
zoompid=`lsof -ti :19421`
echo "$zoompid"
if [ -z "$zoompid" ] ; then
    echo "zoompid not found"
else
    kill -9 "$zoompid"
fi
rm -rf "$currentUserHome/.zoomus"
touch "$currentUserHome/.zoomus"
chmod 000 "$currentUserHome/.zoomus"

exit 0

We are also deploying a login script that will use Outset to run at every login to check for the web server, delete if present, and lock it. Basically using the last few lines of that postinstall script.

On top of that, we are pushing out the latest Outlook plug-in for users that have that installed.

A big thank you to all of you that did the leg work for me today. ;-)

Update from Zoom just now is that a client with a fix for the web server is being released tonight, followed by another release July 12th with a fix for the default video settings.

@jalbert That will totally disable the camera and prevent users from using it when they need to use it.

Patch tonight, July 9, 2019:
https://twitter.com/zoom_us/status/1148689995219099649

new version with patch released https://support.zoom.us/hc/en-us/articles/201361963-New-Updates-for-Mac-OS

When will Jamf update Patch Management to include the latest version? How are you guys rolling out the new update?

@stevewood Good catch, I mucked it up when I was generalizing it. I've corrected it above and thanked my lucky stars i only ran it on my testers.

@danny.gutman For a quick deploy, I used the Extension Attribute @sdagley put together (https://www.jamf.com/jamf-nation/discussions/32561/zoom-exploit#responseChild187183), forced an inventory update on all machines 1/computer at recurring check-in, created a Smart Group keyed to the Extension Attribute set to "Yes", then created a policy scoped to that Smart Group that deploys the latest Zoom version 1/day at recurring check-in and then updates the inventory. I could do 1/computer, but I figure this way if someone somehow installs an old version of Zoom on a machine somehow, the policy wouldn't catch it.

Only annoying part: the Zoom pkg I downloaded automatically opens the Zoom app upon completion of the install/update.

Zoom's extremely non-standard installer also autolaunches the app when it's done but you can expand the package, modify the preinstall script, and flatten the package back down. You'll need an installer signing cert of your own if you want to sign the package again.

pkgutil --expand /path/to/Zoom.pkg /path/to/expandedFolder

Comment out line 455 of the preinstall script and save the file
# open "$APP_PATH"&

pkgutil --flatten /path/to/expandedFolder /path/to/newPackageUnsigned.pkg

Optional:
productsign --sign 'Developer ID Installer: YOUR ID HERE' /path/to/newPackageUnsigned.pkg /path/to/newPackage.pkg

For those of you struggling with setting the default preferences on your Zoom deployments, you will want to bookmark this page Zoom Mass Deployment with Preconfigured Settings There is a Windows version out there too if you're interested.

@brysontyrrell Any insights if Jamf's Patch Management team can expedite an update to the definition for Zoom?

@iJake I didn't see those lines in the latest version of the ZoomInstallerIT.pkg

After deploying the new package, ZoomOpener is still there and is still running. Not sure if I'm expected to remove and reinstall it, because that would just be running the same script we were all trying to get working yesterday...

@hdsreid some of my users told me the same thing. After quitting and relaunching the app it seems to have killed it for some. I'm still waiting for feedback from others.