Zoom Zero Day

After the latest news about a zero-day vulnerability in the Zoom client for Mac that allows a malicious website to hijack a user’s web camera without their permission.

Reading this article at Medium from a Security Researcher named Jonathan Leitschuh

So I decided to do 3 things

uninstall zoom.us application from macOS
disable the ability for Zoom to turn on your webcam when joining a meeting
shut down and prevent this server from being restored after updates

To confirm if this server is present run this in your terminal.

lsof -i :19421

You can use this find commands to search all zoom files and folders in your machine, and complete the public gist.

find all files

find . -type f |&grep -iE "us.zoom|zoom|zoom.us"

find all folders

find . -type d |&grep -iE "us.zoom|zoom|zoom.us"

I created a public gist called zoom_uninstall_macos-sh to mitigate these 3 items,
using a public script from Zoom Google Drive, instructions from Jonathan Leitschuh referenced in the medium article and also this post at apple stackexchange.

#!/usr/bin/env bash

echo Stopping Zoom...
pkill "zoom.us"

echo Cleaning Zoom...
echo Cleaning Application Cached Files...
{
  rm -fr -- ~/Library/Application\ Support/zoom.us
  rm -fr -- ~/Library/Application\ Support/ZoomPresence
  rm -fr -- ~/Library/Caches/us.zoom.xos
  rm -fr -- ~/Library/Logs/zoom.us/
  rm -fr -- ~/Library/Logs/zoomRooms/
  rm -fr -- ~/Library/Logs/zoominstall.log
  rm -fr -- ~/Library/Preferences/ZoomChat.plist
  rm -fr -- ~/Library/Preferences/us.zoom.xos.plist
  rm -fr -- ~/Library/Saved\ Application\ State/us.zoom.xos.savedState
}

echo "Cleaning Application..."
{
  rm -fr -- ~/Applications/zoom.us.app
  rm -fr -- ~/.zoomus/ZoomOpener.app
  rm -fr -- ~/.zoomus
}
echo "Removed Application..."

echo "Preventing the vulnerable server from running on your machine..."
# (You may need to run these lines for each user on your machine.)
pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;
pkill "RingCentralOpener";  rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 000 ~/.ringcentralopener;

echo "Disabling the ability of Zoom to turn on your webcam when joining a meeting..."
defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1           # For just your local account

echo "Removing Launch Daemons/Agents and Internet Plug-Ins..."
{
  rm -fr -- ~/Library/LaunchDaemons/us.zoom.rooms.daemon.plist
  rm -fr -- ~/Library/LaunchAgents/us.zoom*
  rm -fr -- ~/Library/Internet\ Plug-Ins/ZoomUsPlugIn.plugin/
}

echo "Switching to a user with sudo privileges to remove more zoom things..."
{
  sudo rm -fr -- /Applications/zoom.us.app
  sudo kextunload -b zoom.us.ZoomAudioDevice
  sudo rm -fr -- /System/Library/Extensions/ZoomAudioDevice.kext
  sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1       # For all users on the machine
  sudo rm -fr -- /Library/Internet\ Plug-Ins/ZoomUsPlugIn.plugin/
  sudo rm -fr -- /Library/LaunchDaemons/us.zoom.rooms.daemon.plist
  sudo rm -fr -- /Library/LaunchAgents/us.zoom*
}