Zoom Zero-Day Flaw

Yesterday a report came out describing a zero-day flaw in the Mac client for the popular online meeting service Zoom. The report is quite technical, but describes some very serious security flaws in the client software. I’m going to unpack the basics here, and most importantly give you a (fairly) straightforward way to secure your Mac if you have Zoom installed. I highly encourage everyone to follow these steps as soon as possible.

The Flaw

The core of the security flaw is that a malicious website can trigger you to enter a Zoom meeting with video and audio automatically enabled. This is acheived through the the website calling out to a webserver on your Mac that Zoom installed, which incidentally remains even if you uninstall Zoom, and will reinstall Zoom if you ask to join a meeting, all without asking you for permission. The launching of Zoom through this server is acheived through a specially-crafted image, which they use to bypass sandbox security implemented by browsers to try and stop this sort of thing. This was reported to Zoom back in March, and by yesterday, the public disclosure deadline, Zoom still hadn’t fully fixed the problems (they had made one fix, but a workaround was discovered). You can read all the technical details at the report linked earlier in this post.

Instructions for how to Protect Your Mac

To secure your Mac against this zero-day you need to run a series of commands at the command-line on your Mac. You do this using the Terminal application, found in /Applications/Utilities. Copy and paste each of these commands exactly as they are below (with the exception of the one where you enter the PID unique to your Mac), hitting return after each one. I may get around to providing a simple tool anyone can run to with one-click perform these actions, but this is serious enough that getting them documented and out to folks is far higher of a priority.

Disable Zoom’s ability to turn on video by default:

defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1

Check for the hidden Zoom webserver:

lsof -i :19421

If this command returns any output then the server is running. In that case, take note of the number in the PID column.

Kill the server:

kill -9 (PID number from the previous step)

Remove the server’s files:

rm -rf ~/.zoomus

Create a new file in its place:

touch ~/.zoomus

Change its permissions so that Zoom cannot overwrite it and add the server back:

chmod 000 ~/.zoomus

You will need to perform these steps in every user account on your Mac that you have used Zoom in.

Side-Effects

After performing these steps your Mac will be immune to this zero-day flaw. Unfortunately, Zoom will also no longer act quite as it has in the past. Specifically:

• You will need to manually turn on video in all meetings.
• The Zoom links to enter meetings will no longer work. Instead you’ll have to launch Zoom yourself, ask to join a meeting, and enter in the meeting id.
• Zoom will no longer auto-update. Instead, every so often make sure to redownload the Zoom app from their website.

Once this issue is confirmed fixed, and if you ever again trust Zoom’s full install, then you should only need to delete the file you created and Zoom will set itself up as intended again:

rm .zoomus

I strongly urge everyone that has ever used Zoom on their Mac to perform these steps. Yes, it will make joining a meeting more difficult, but it will make it so that you can’t unknowingly join a meeting with video enabled.

Update 10 July 2019 7 pm Central Time

Apple has pushed an update to the Malware Removal Tool built into macOS that removes the local Zoom web server from all Macs automatically.

Update 10 July 2019 3:40 pm Central Time

Zoom did release an update that removes the local server overnight last night. This version should not have the zero-day flaw in it.

Update 9 July 2019 4:20 pm Central Time

Zoom has announced that they plan to release an update by midnight tonight that removes the local web server.

Update 9 July 2019 3:40 pm Central Time

I noticed that my Mac’s Zoom client was slightly out of date. When I went to download the latest version what they give you is an installer package. That is the first red flag, as very few developers need more than drag and drop to install their apps. I always open installer packages first with Suspicious Package, to examine what they’ll do before installing them. Now even more red flags appeared… The package runs a script upon opening, before you can even intervene. Now, this usually is just checking that you meet system requirements, but Zoom’s installer is messing with the Dock and doing a bunch of other things, some of which may be nefarious, I haven’t deciphered the script entirely yet. But even more troubling, the installer package does not have any files it installs, and the scripts in the package include what appears to be the file structure of a kernel extension and web browser plugin, with almost no sign of a regular Mac app other than an entitlements file. But that isn’t how it should be. The scripts should just be scripts (preinstall, postinstall, and Distribution), and regular installer packages would put the files they install into the regular installation mechanism, which would appear as files in the package. The app itself is in the scripts folder in the zm.7z archive. You can use the 7z command (which can be installed with brew install p7zip) to extract the app. I would recommend doing this rather than running the installer package. I think we’re starting to see why Zoom hasn’t fixed these flaws yet. It seems possible that they need to do a significant rearchitecting of the entire app and service to fix these problems. Zoom was such a good service… These flaws, and this unorthodox download, very much hurt their reputation in my book.