Info about the exploit here:
https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Mac Chrome users can also reset Chrome to no open up Zoom automatically however its a little painful:
Directions here: https://lifehacker.com/reset-chrome-to-stop-automatically-opening-apps-1820404423

I changed {"zoommtg":false} to {"zoommtg":true} and saved. It now prompts to open Zoom again.

Yep just actioned the above, also added zoom.us.app to restrictions

It seems Zoom gets hit by the bad news bug every six months or so.

In case anyone is looking for an automated/deployable way of executing the commands recommended on the blog post. Meant to be run as root; global defaults command will fail if non-admin.

#!/bin/bash



# Disable auto-video on Zoom

# For just your local account

user=`stat -f "%Su" /dev/console`

defaults write "$user"/Library/Preferences/us.zoom.config.plist ZDisableVideo 1

# For all users on the machine

defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1



# Delete webserver

zoompid=`lsof -ti :19421`

kill -9 "$zoompid"

rm -rf "$user"/.zoomus

touch "$user"/.zoomus

is deleting the webserver critical? I thought i saw it would just reinstall itself?

added a little logic to @zbennis script so it doesn't error out if it doesn't find the PID

#!/bin/bash



# Disable auto-video on Zoom

# For just your local account

user=`stat -f "%Su" /dev/console`

defaults write "$user"/Library/Preferences/us.zoom.config.plist ZDisableVideo 1

# For all users on the machine

defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1



# Delete webserver

zoompid=`lsof -ti :19421`

echo "$zoompid"

if [ -z "$zoompid" ] ; then

    echo "zoompid not found"

else

    kill -9 "$zoompid"

fi

rm -rf ~/.zoomus

touch ~/.zoomus



exit 0

Work in progress.

#!/bin/bash

# For all users on the machine

defaults write ~/Library/Preferences/us.zoom.xos.plist ZDisableVideo 1

defaults write ~/Library/Preferences/us.zoom.ringcentral.plist ZDisableVideo 1



#Kill Zoom Opener Apps

pkill "ZoomOpener"

pkill "RingCentralOpener"



#Remove Zoom Opener webservices

rm -rf ~/.zoomus

rm -rf ~/.ringcentralopener



#Create empty folders 

touch ~/.zoomus

touch ~/.ringcentralopener



exit

Editing to incorporate some of the feedback, thanks all. Not sure about the "Disable Video" for Ring Central but testing.

@jhatem @zbennis @strayer

Are you seeing success with those defaults write commands? I'm testing on my machine, and that plist does not exist in either location, and if I put that plist in both locations it has no effect on the disable video pref.

Looking at files that are changed when making that pref change in Zoom, it looks like only the /Users/<user>/Library/Application Support/zoom.us/Data/zoomus.db file and /Users/<user>/Library/Preferences/us.zoom.xos.plist files are changed.

@jhatem
if you don't

touch ~/.zoomus

after you remove it then next time they open zoom up it will rebuild the same thing.

So I took the script for killing zoomopener and preventing it from being re-installed from the medium article and re-wrote it in a jamf compatible fashion.

# To prevent the vulnerable server from running on your machine

# (this does not impact Zoom functionality), run these two lines in your Terminal.



pkill "ZoomOpener"; rm -rf /Users/$3/.zoomus; touch /Users/$3/.zoomus && chmod 000 /Users/$3/.zoomus;



pkill "RingCentralOpener";  rm -rf /Users/$3/.ringcentralopener; touch /Users/$3/.ringcentralopener && chmod 000 /Users/$3/.ringcentralopener;

It is honestly just replacing
~ with /Users/$3/ but it gets the job done.

This does not prevent the folders from being modified if they do not already exist. Our company uses Zoom, so we all have this.

In regards to the automatically start video preference file, we need to discuss internally what the best course of action is as that would have a huge impact on our users.

edit: The reason why we would want to use a defaults write command to fix the don't start video automatically preference is that a plist would potentially override all of the other settings in the app, correct? Or has no one tested this method?

@stevewood Gotta be honest, I haven't tested the preference portion of the script at all. We were much more concerned about the webserver chunk at the bottom. I was mostly just trusting @zbennis on the top chunk.

@stevewood I've been seeing the same. Once I purge that zoomus.db file it seems to load the preferences correctly. Given this
article from Zoom I was really hoping it would work with a config profile but no dice.

I am not seeing either of the defaults write commands work on a 10.13 machine. The checkbox does not get turned on to disable video. Haven't tried "sdamiano" solution yet.....

I've tried each script in this thread and none of them has changed the setting to "turn off video" for me in testing. Has anyone had success with this and are you willing to share your script or the screenshots of the settings around the policy? I'm relatively new to this and could easily be making a simple mistake.

Thanks!

Thanks for the feedback.
I'm seeing us.zoom.xos.plist as the right file to tweak. Also,

One more we may want to touch up?
~/Library/Preferences/us.zoom.ringcentral.plist I imagine this may have the same "video on" default?

Just putting this together and it seems to set the preferences as expected.

#!/bin/bash

# Disable auto video and auto mic



currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')

currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')

prefPath="/Library/Preferences/us.zoom.config.plist"

zoomAppSupportPath="$currentUserHome/Library/Application Support/zoom.us"



#Clear Out existing App Support DB

if [ -e "$zoomAppSupportPath" ]; then

    rm -rf "$zoomAppSupportPath"

fi



# Apply to all users on the machine

# Clear any existing preferences

if [ -e "$prefPath"  ]; then

    rm -rf "$prefPath"

fi



# Apply for all users

defaults write "$prefPath" ZDisableVideo 1

defaults write "$prefPath" MuteVoipWhenJoin 1

chown root:wheel "$prefPath"



# create the placeholder

rm -rf "$currentUserHome/.zoomus"

touch "$currentUserHome/.zoomus"





exit 0

Been playing with this all morning....I have a script that works for me so far, note that there is no error checking or anything.
Testing:
Install zoomus on computer
test PoC attack, make sure it auto joins and it binds to the 19421 port
Run script - nothing is bound to 19421 when running lsof
Open Zoom app check lsof - nothing running on 19421 still
Run the PoC exploit and Chrome displays a broken image and nothing launches on the machine

#!/bin/bash



#variable declarations###########

#################################

loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "

");')

zoomPID=$(sudo lsof -i :19421 | tail -n 1 | awk '{print $2}')

#################################





#################################

#disable webcam for all accounts#

#################################

defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1

#################################



#################################

#kill zoom server process########

#remove zoom server directory####

#create stub directory###########

#################################

sudo kill -9 $zoomPID

rm -rf /Users/$loggedInUser/.zoomus

pkill "ZoomOpener"; rm -rf /Users/$loggedInUser/.zoomus; touch /Users/$loggedInUser/.zoomus && chmod 000 /Users/$loggedInUser/.zoomus;



pkill "RingCentralOpener";  rm -rf /Users/$loggedInUser/.ringcentralopener; touch /Users/$loggedInUser/.ringcentralopener && chmod 000 /Users/$loggedInUser/.ringcentralopener;

##################################









exit 0

I have set it to run once per user per computer, however 95% of my machines are single user only. Not sure how that will impact some of your environments, but globally setting the webcam preference at least helps a bit

If you want an EA to tell you if the hidden ZoomOpener.app is installed on a machine here's something I adapted from @cdietrich's post to the #Security MacAdmins Slack channel:

#!/bin/bash



zoomFound="No"



for USER_HOME in /Users/*; do

  USER_UID=$(basename "${USER_HOME}")

  if [[ -d "${USER_HOME}/.zoomus/ZoomOpener.app" ]]; then

    zoomFound="Yes"

  fi

done



echo -e "<result>$zoomFound</result>"

The plist file does not work. However, I have found this on the Zoom site that does.
https://support.zoom.us/hc/en-us/articles/115001799006-Mass-Deployment-with-Preconfigured-Settings-for-Mac

There is a separate IT Admin installer that can be run in the same location as the plist file which will configure the disabled setting. I have tested successfully on a number of Macs in our environment. Interestingly enough it does not copy the plist file to the Preferences location (like their guide said it should) ... BUT it does work.

I'm still trying to figure out where it actually is saving the config setting. No luck on that yet.

@andrew.nicholas I used the .plist chunk of your script with the kill pid section of my previous post and it worked successfully. I then changed the preferences back and flushed logs and it reset the preferences back for me.
this is what I ended up with

#!/bin/bash



# Disable auto-video on Zoom

# For just your local account

currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')

currentUserHome=$( dscl . read /Users/"$currentUser" | awk '{print $2}')

prefPath="/Library/Preferences/us.zoom.config.plist"

zoomAppSupportPath="$currentUserHome/Application Support/zoom.us"



#Clear Out existing App Support DB

if [ -e "$zoomAppSupportPath" ]; then

    rm -rf "$zoomAppSupportPath"

fi



# Apply to all users on the machine

# Clear any existing preferences

if [ -e "$prefPath"  ]; then

    rm -rf "$prefPath"

fi



# Apply for all users

defaults write "$prefPath" ZDisableVideo 1

defaults write "$prefPath" MuteVoipWhenJoin 1

chown root:wheel "$prefPath"



# Delete webserver

zoompid=`lsof -ti :19421`

echo "$zoompid"

if [ -z "$zoompid" ] ; then

    echo "zoompid not found"

else

    kill -9 "$zoompid"

fi



# create the placeholder

rm -rf "$currentUserHome/.zoomus"

touch "$currentUserHome/.zoomus"



exit 0

EDIT: Fixed bottom section
EDIT: Fixed User direction.

@strayer glad to hear it but you might want to address the bottom section of the script. It's still referencing the homedir of the account running the script.

I made a custom preference profile to stop the webcam from joining automatically as well after running the terminal command from the medium post with the plist it generates.

@sharriston Does the app actually honor the config? I tried the same and it would not.

@andrew.nicholas So far it has been on all my coworkers machines. What I did was run this command

sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1

then copied that plist into the custom preferences section of a config profile. I would make sure you ran the /Library version of the command and not the ~/Library, that was an issue someone else had with it.

Yes the application is honoring the locally created preference file but is the custom configuration profile being honored on a machine that has not run the defaults write command?