Zoom Zero Day
After the latest news about a zero-day vulnerability in the Zoom client for Mac that allows a malicious website to hijack a user’s web camera without their permission.
Reading this article at Medium from a Security Researcher named Jonathan Leitschuh
So I decided to do 3 things
- uninstall
zoom.us
application from macOS - disable the ability for Zoom to turn on your webcam when joining a meeting
- shut down and prevent this server from being restored after updates
To confirm if this server is present run this in your terminal.
lsof -i :19421
You can use this find commands to search all zoom files and folders in your machine, and complete the public gist.
find all files
find . -type f |&grep -iE "us.zoom|zoom|zoom.us"
find all folders
find . -type d |&grep -iE "us.zoom|zoom|zoom.us"
I created a public gist called zoom_uninstall_macos-sh to mitigate these 3 items,
using a public script from Zoom Google Drive, instructions from Jonathan Leitschuh referenced in the medium article and also this post at apple stackexchange.
#!/usr/bin/env bash
echo Stopping Zoom...
pkill "zoom.us"
echo Cleaning Zoom...
echo Cleaning Application Cached Files...
{
rm -fr -- ~/Library/Application\ Support/zoom.us
rm -fr -- ~/Library/Application\ Support/ZoomPresence
rm -fr -- ~/Library/Caches/us.zoom.xos
rm -fr -- ~/Library/Logs/zoom.us/
rm -fr -- ~/Library/Logs/zoomRooms/
rm -fr -- ~/Library/Logs/zoominstall.log
rm -fr -- ~/Library/Preferences/ZoomChat.plist
rm -fr -- ~/Library/Preferences/us.zoom.xos.plist
rm -fr -- ~/Library/Saved\ Application\ State/us.zoom.xos.savedState
}
echo "Cleaning Application..."
{
rm -fr -- ~/Applications/zoom.us.app
rm -fr -- ~/.zoomus/ZoomOpener.app
rm -fr -- ~/.zoomus
}
echo "Removed Application..."
echo "Preventing the vulnerable server from running on your machine..."
# (You may need to run these lines for each user on your machine.)
pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;
pkill "RingCentralOpener"; rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 000 ~/.ringcentralopener;
echo "Disabling the ability of Zoom to turn on your webcam when joining a meeting..."
defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1 # For just your local account
echo "Removing Launch Daemons/Agents and Internet Plug-Ins..."
{
rm -fr -- ~/Library/LaunchDaemons/us.zoom.rooms.daemon.plist
rm -fr -- ~/Library/LaunchAgents/us.zoom*
rm -fr -- ~/Library/Internet\ Plug-Ins/ZoomUsPlugIn.plugin/
}
echo "Switching to a user with sudo privileges to remove more zoom things..."
{
sudo rm -fr -- /Applications/zoom.us.app
sudo kextunload -b zoom.us.ZoomAudioDevice
sudo rm -fr -- /System/Library/Extensions/ZoomAudioDevice.kext
sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1 # For all users on the machine
sudo rm -fr -- /Library/Internet\ Plug-Ins/ZoomUsPlugIn.plugin/
sudo rm -fr -- /Library/LaunchDaemons/us.zoom.rooms.daemon.plist
sudo rm -fr -- /Library/LaunchAgents/us.zoom*
}