Zoom Exploit

mlr
New Contributor II

For those of you who wake up to Zoom Exploit news.

You can set ZoomOpener.app as a Restricted Software.

Kill Process
Restrict to exact process name
Kill Process.

I would not recommend turning on Send Email or Message to the user.8901e851a56e4bb5a97b1b5e685d1957

103 REPLIES 103

sdagley
Esteemed Contributor II

@ClassicII Either I'm seeing an odd layout, or it looks like some of the software update commands in your article had the -- (double minus?) replaced with an – (en dash).

ClassicII
Contributor III

@sdagley

Thank you for the heads up! That is exactly what happened, in the code I had - - but it was converted to one -. I changed the formatting to code so shows up properly now. You win the Mr. Macintosh Eagle Eye Award for the day! :)

donmontalvo
Esteemed Contributor III

ClassicII
Contributor III

The Zoom thing just turned from opening up an unwanted meeting with the camera on to full blown RCE.

https://nvd.nist.gov/vuln/detail/CVE-2019-13567

If you are scoping for only the app in your policies, you may not catch everyone. If users heard of the news and deleted the app the web server still remains!!!

Even worse the MRT Scanner does not until after a reboot.

Update your Machines and Force MRT scanner to run without a reboot!

donmontalvo
Esteemed Contributor III

[EDIT: To support MRTConfigData 1.60.]

We opened a ticket with Apple, they advised we run as daemon (-d).

This script checks MRT version, downloads the update, then runs MRT, then checks the version again:

#!/bin/sh

verString=$( defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString )

# Check MRT version
echo "MRT is version ${verString}."

# Update MRT
echo "Updating MRT."
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.60 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.59 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.58 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.57 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.56 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.55 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.54 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.53 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.52 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.51 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.50 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.49 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.48 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.46 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.45 --include-config-data 2>/dev/null

# Run as daemon
#echo "Running MRT as daemon."
#/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -d

# Check MRT version
echo "MRT is version ${verString}."

exit 0

EA for reporting:

#!/bin/sh

MRTvers=$( /usr/bin/defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString )

echo "<result>$MRTvers</result>"

We have a Smart Computer Group that reports on computers having 1.4.5 thru 1.60 for a bit of future proofing.

However, would not exclude any computers, since MRT might be up to date but not have run.... :)

Thanks @ClassicII for your awesome blog, Apple likes it too!

--
https://donmontalvo.com

ImAMacGuy
Valued Contributor II

Looks like a tweaked version of the client is out...
4.4.55313.0714

jclark27
New Contributor III

Hey guys

So if I wanted to just see my affected users, I could run that handysmart group check that @balexander posted, correct? And then we can just run the MRT update script to every computer in our environment to make sure we're all good yeah? Apologies as I am literally just getting back from vaycay and making sure I got everything haha. I want to ensrue there is nothing else I am missing. Besides the MRT to everyone, is there anything else I should ensure we run?

balexander667
New Contributor III

that should do it. and to be honest, at this point MRT has probably updated on any machines that have been online the past week or so. It seems to happen pretty quickly and automagically. also; just checked and looks like the current MRT version is still 1.45, so you can keep that value for the smart group value.

Nix4Life
Valued Contributor

MRT 1.46 and Gatekeeper 172 were released late yesterday afternoon

balexander667
New Contributor III

e5a0e301d7134f6795772ef65af531e2

i see posts everywhere about 1.46, but am not seeing it actually being available yet. weird.

kfjamf
New Contributor III

I was able to get 1.46 (and new Gatekeeper) with:

softwareupdate -i -r --include-config-data

donmontalvo
Esteemed Contributor III

@Nix4Life

MRT 1.46 and Gatekeeper 172 were released late yesterday afternoon

Would be nice if Apple provided an MRT release notes page.

--
https://donmontalvo.com

balexander667
New Contributor III

yeah @kfbbt if i run /usr/sbin/softwareupdate -i MRTConfigData_10_14-1.46 --include-config-data it updates to 1.46 just fine.

Nix4Life
Valued Contributor

We have a reposado server. Agree @donmontalvo . How you holding up out there buddy

Nix4Life
Valued Contributor

oh and here's another zoom update for ya

zoom.us v 4.4.55387.0716

is zoom the new flash?

dueces

balexander667
New Contributor III

Or for the love of.....

https://9to5mac.com/2019/07/16/ringcentral-and-zhumu-macos-update/

apparently 1.46 was pushed because everything is poisonous and all software vendors are against us :)

jrepasky
New Contributor III

Nix4Life...The new flash. 4.4.55387.0716 released without release notes and/or notice. Thanks Zoom!

ClassicII
Contributor III

This zoom thing keeps on going!!!

10 more Zoom Vulnerabilities and a new RCE found.

  1. /.ringcentralopener
  2. /.telusmeetingsopener
  3. /.btcloudphonemeetingsopener
  4. /.officesuitehdmeetingopener
  5. /.attvideomeetingsopener
  6. /.bizconfopener
  7. /.huihuiopener
  8. /.umeetingopener
  9. /.zhumuopener 10./.zoomcnopener

I tried to put all this new stuff on Zoom and MRT in a big Index of Information and links for you.

https://mrmacintosh.com/zoom-vulnerably-round-2-10-more-variants-index-of-mrt-links-info/

donmontalvo
Esteemed Contributor III

Wow, updated script to support 1.47, but holy mudder of gawd, what a mess.

@Nix4Life zoom.us is killing me man...killing me...haha

--
https://donmontalvo.com

ClassicII
Contributor III

No kidding @donmontalvo !!!!

I mean how many different Zoom variants are out there? We are now at 14 total, you would think zoom would know exactly how many exist.

Jclark
New Contributor

Hey all!

Apoliogies for sounding pretty inept at folowing this, but for someone just getting back from a vaycay and seeing this all, Im trying to make sure im current haha...

So to ensure I nail down which of my end users are affected by this, I can run a smart group check, and set it up like @balexander did? (thank you so much for that!)

And then is it simply a matter of running a script like the one in the deflounder page and then ensure the MRT update is run on all computers? Would that be an effective way of going about this? Am I doing too much? too little? Apologies as I work in a k-12 so we want to ensure we get everyone taken care of.

Thanks so much for any help

donmontalvo
Esteemed Contributor III

Updated script to cover 1.60 (as of today 1.50 is latest that we are seeing).

Also disabled the "MRT -d" since existing computers are already remediated.

https://www.jamf.com/jamf-nation/discussions/32561/zoom-exploit#responseChild187476

And new computers ship with post-vulnerability MRT version.

--
https://donmontalvo.com

jhuls
Contributor III

@donmontalvo Are you aware of some documentation, a thread, or something that can educate us a bit more on MRT? You mention that 1.50 is the latest you're seeing and that's what is on my system but it looks like your script has other versions in it besides 1.60. Are those real versions or is it some sort of guess that they might exist at some point?

donmontalvo
Esteemed Contributor III

@jhuls sorry for the very late response, might check developer.apple.com.

--
https://donmontalvo.com