Jamf Nation Community

@sdagley

Thank you for the heads up! That is exactly what happened, in the code I had - - but it was converted to one -. I changed the formatting to code so shows up properly now. You win the Mr. Macintosh Eagle Eye Award for the day! :)

https://www.jamf.com/jamf-nation/discussions/29561/script-to-install-update-zoom#responseChild187390

The Zoom thing just turned from opening up an unwanted meeting with the camera on to full blown RCE.

https://nvd.nist.gov/vuln/detail/CVE-2019-13567

If you are scoping for only the app in your policies, you may not catch everyone. If users heard of the news and deleted the app the web server still remains!!!

Even worse the MRT Scanner does not until after a reboot.

Update your Machines and Force MRT scanner to run without a reboot!

[EDIT: To support MRTConfigData 1.60.]

We opened a ticket with Apple, they advised we run as daemon (-d).

This script checks MRT version, downloads the update, then runs MRT, then checks the version again:

#!/bin/sh

verString=$( defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString )

# Check MRT version
echo "MRT is version ${verString}."

# Update MRT
echo "Updating MRT."
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.60 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.59 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.58 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.57 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.56 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.55 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.54 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.53 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.52 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.51 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.50 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.49 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.48 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.46 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.45 --include-config-data 2>/dev/null

# Run as daemon
#echo "Running MRT as daemon."
#/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -d

# Check MRT version
echo "MRT is version ${verString}."

exit 0

EA for reporting:

#!/bin/sh

MRTvers=$( /usr/bin/defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString )

echo "<result>$MRTvers</result>"

We have a Smart Computer Group that reports on computers having 1.4.5 thru 1.60 for a bit of future proofing.

However, would not exclude any computers, since MRT might be up to date but not have run.... :)

Thanks @ClassicII for your awesome blog, Apple likes it too!

Looks like a tweaked version of the client is out...
4.4.55313.0714

Hey guys

So if I wanted to just see my affected users, I could run that handysmart group check that @balexander posted, correct? And then we can just run the MRT update script to every computer in our environment to make sure we're all good yeah? Apologies as I am literally just getting back from vaycay and making sure I got everything haha. I want to ensrue there is nothing else I am missing. Besides the MRT to everyone, is there anything else I should ensure we run?

that should do it. and to be honest, at this point MRT has probably updated on any machines that have been online the past week or so. It seems to happen pretty quickly and automagically. also; just checked and looks like the current MRT version is still 1.45, so you can keep that value for the smart group value.

MRT 1.46 and Gatekeeper 172 were released late yesterday afternoon

i see posts everywhere about 1.46, but am not seeing it actually being available yet. weird.

I was able to get 1.46 (and new Gatekeeper) with:

softwareupdate -i -r --include-config-data

@Nix4Life

MRT 1.46 and Gatekeeper 172 were released late yesterday afternoon

Would be nice if Apple provided an MRT release notes page.

yeah @kfbbt if i run /usr/sbin/softwareupdate -i MRTConfigData_10_14-1.46 --include-config-data it updates to 1.46 just fine.

We have a reposado server. Agree @donmontalvo . How you holding up out there buddy

oh and here's another zoom update for ya

zoom.us v 4.4.55387.0716

is zoom the new flash?

dueces

Or for the love of.....

https://9to5mac.com/2019/07/16/ringcentral-and-zhumu-macos-update/

apparently 1.46 was pushed because everything is poisonous and all software vendors are against us :)

Nix4Life...The new flash. 4.4.55387.0716 released without release notes and/or notice. Thanks Zoom!

This zoom thing keeps on going!!!

10 more Zoom Vulnerabilities and a new RCE found.

1. /.ringcentralopener
2. /.telusmeetingsopener
3. /.btcloudphonemeetingsopener
4. /.officesuitehdmeetingopener
5. /.attvideomeetingsopener
6. /.bizconfopener
7. /.huihuiopener
8. /.umeetingopener
9. /.zhumuopener 10./.zoomcnopener

I tried to put all this new stuff on Zoom and MRT in a big Index of Information and links for you.

https://mrmacintosh.com/zoom-vulnerably-round-2-10-more-variants-index-of-mrt-links-info/

Wow, updated script to support 1.47, but holy mudder of gawd, what a mess.

@Nix4Life zoom.us is killing me man...killing me...haha

No kidding @donmontalvo !!!!

I mean how many different Zoom variants are out there? We are now at 14 total, you would think zoom would know exactly how many exist.

Hey all!

Apoliogies for sounding pretty inept at folowing this, but for someone just getting back from a vaycay and seeing this all, Im trying to make sure im current haha...

So to ensure I nail down which of my end users are affected by this, I can run a smart group check, and set it up like @balexander did? (thank you so much for that!)

And then is it simply a matter of running a script like the one in the deflounder page and then ensure the MRT update is run on all computers? Would that be an effective way of going about this? Am I doing too much? too little? Apologies as I work in a k-12 so we want to ensure we get everyone taken care of.

Thanks so much for any help

Updated script to cover 1.60 (as of today 1.50 is latest that we are seeing).

Also disabled the "MRT -d" since existing computers are already remediated.

https://www.jamf.com/jamf-nation/discussions/32561/zoom-exploit#responseChild187476

And new computers ship with post-vulnerability MRT version.

@donmontalvo Are you aware of some documentation, a thread, or something that can educate us a bit more on MRT? You mention that 1.50 is the latest you're seeing and that's what is on my system but it looks like your script has other versions in it besides 1.60. Are those real versions or is it some sort of guess that they might exist at some point?

@jhuls sorry for the very late response, might check developer.apple.com.