(Subscribe to this gist for any updates as we get them.)
If you're using macOS, Apple has pushed an update that will remove the 14 known web servers for you. To check if you already have it:
/usr/bin/defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString
If the latest version you have installed is 1.47
, you should be secure against the
vulnerability in these applications. If necessary, you may run an MRT scan yourself:
sudo /System/Library/CoreServices/MRT.app/Contents/MacOS/mrt -a
If your latest version is for some reason out of date, you can force an update of MRTConfigData:
- Run
softwareupdate --list --include-config-data
- Find any and all
MRTConfigData
related updates (such asMRTConfigData_10_14-1.47
), and install them withsoftwareupdate -i [package_name] --include-config-data
or
- Force an install of all available updates:
softwareupdate -ia --include-config-data
The latest versions of both Zoom and RingCentral will also remove the servers themselves, so if you still have either application installed, check to be sure it's up to date.
To remove all the known daemons manually, run these commands in your Terminal:
# Removed by MRT 1.45
rm -rf ~/.zoomus; touch ~/.zoomus && chmod 555 ~/.zoomus; pkill "ZoomOpener"
# Removed by MRT 1.46
rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 555 ~/.ringcentralopener; pkill "RingCentralOpener"
rm -rf ~/.telusmeetingsopener; touch ~/.telusmeetingsopener && chmod 555 ~/.telusmeetingsopener; pkill "TelusMeetingsOpener"
rm -rf ~/.btcloudphonemeetingsopener; touch ~/.btcloudphonemeetingsopener && chmod 555 ~/.btcloudphonemeetingsopener; pkill "BTCloudPhoneMeetingsOpener"
rm -rf ~/.officesuitehdmeetingopener; touch ~/.officesuitehdmeetingopener && chmod 555 ~/.officesuitehdmeetingopener; pkill "OfficeSuiteHDMeetingOpener"
rm -rf ~/.attvideomeetingsopener; touch ~/.attvideomeetingsopener && chmod 555 ~/.attvideomeetingsopener; pkill "ATTVideoMeetingsOpener"
rm -rf ~/.bizconfopener; touch ~/.bizconfopener && chmod 555 ~/.bizconfopener; pkill "BizConfOpener"
rm -rf ~/.huihuiopener; touch ~/.huihuiopener && chmod 555 ~/.huihuiopener; pkill "HuihuiOpener"
rm -rf ~/.umeetingopener; touch ~/.umeetingopener && chmod 555 ~/.umeetingopener; pkill "UMeetingOpener"
rm -rf ~/.zhumuopener; touch ~/.zhumuopener && chmod 555 ~/.zhumuopener; pkill "ZhumuOpener"
rm -rf ~/.zoomcnopener; touch ~/.zoomcnopener && chmod 555 ~/.zoomcnopener; pkill "ZoomCNOpener"
# Removed by MRT 1.47
rm -rf ~/.accessionmeetingopener; touch ~/.accessionmeetingopener && chmod 555 ~/.accessionmeetingopener; pkill "AccessionMeetingOpener"
rm -rf ~/.videoconferenciatelmexopener; touch ~/.videoconferenciatelmexopener && chmod 555 ~/.videoconferenciatelmexopener; pkill "VideoConferenciaTelmexOpener"
rm -rf ~/.earthlinkmeetingroomopener; touch ~/.earthlinkmeetingroomopener && chmod 555 ~/.earthlinkmeetingroomopener; pkill "EarthLinkMeetingRoomOpener"
These commands do the same thing for each of the known white labels of Zoom. They remove the web server if it exists at the hidden directory, and create an empty file and set permissions on it such that the hidden server cannot be reinstalled back to that location. Finally they kill the server if it is running.
If you're using Safari on macOS you're now good to go. However if you're using any other browser (even on other operating systems) you may still see a link immediately open Zoom (or another app) for you. This is not the same vulnerability (no RCE), and is in fact one you yourself opted into, though you may not have realized it. This will occur if you ever checked a box on a pop-up window for a Zoom meeting link that said something like "Always open these links in Zoom".
Here's how to undo that.
For Chrome:
- Navigate to chrome://version/ and find the path listed under "Profile Path".
- Quit Chrome, open that directory, and then open the "Preferences" file.
- This is a JSON file. Look for the strings similar to
"zoommtg":false
,"zoomrc":false
,"zhumu":false
, or whatever likely coincides with your white labelled application. If either exist, remove them. If there is a comma immediately after either string, remove it as well. - Save the file.
For Firefox:
- Open Firefox's Preferences.
- Search for the string
Applications
using "Find in Preferences". - If you see a table with the headers "Content Type" and "Action", find the rows labeled
zoommtg
,zoomrc
, orzhumu
, or whatever likely coincides with your white labelled application. If any exist, set their action to "Always ask"
In any case, refrain from checking the box in a modal dialog to opt you back into this behavior in the future. Safari is currently the only known popular browser to not allow you to shoot yourself in the foot this way.
If you are aware of any other rebranded Zoom applications not covered here, please let me know.
Running something like lsof +c 15 -i :19400-19500
(look for any FooOpener
s) or using
the below yara rules may find more. If you find any not in this list, please
email, tweet, or
call me so we can investigate it further.
Thanks for the one liner!!! I really appreciate it! Just tested and it worked as expected :)