Home > Macintosh, security, software > Check your Mac for the Zoom Video Conferencing Vulnerability

Check your Mac for the Zoom Video Conferencing Vulnerability

UPDATE 2019-07-11: Apple has confirmed they pushed out a “silent update” to remove the offending Zoom server on Macs, the same method they use to deal with malware—no user interaction needed.

I’ll leave my original post in place, but there is no need to follow the manual removal steps detailed below, thanks to Apple taking the unusual step of treating commercial software in use by millions as malware.

This security alert reveals such an unconscionable product design/business ethic failure I will never use or recommend the guilty party’s products again.

If you suspect you may have ever installed video conferencing software from Zoom or Ringcentral on any of your Macs it may very well still be running a web server in the background that could enable somebody to access the built-in FaceTime camera without your permission.

Open the Terminal app, found in the Utilities folder in the Applications folder on your Mac, and type or copy-and-paste the following command (followed by the return key) to confirm whether Zoom’s server is running:

lsof -i :19421

(The first character is a lower-case L)

If there is no response, you’re good.

If there is a response in the form of a bunch of technical text and numbers, and you have a critical need to continue using Zoom, they released an emergency fix as of July 9th, 2019, so updating to the latest version will supposedly remove the local web server. There will likely be an upgrade prompt when you open the app.

If you don’t have a critical need to use Zoom, and you are not familiar with or comfortable deleting files using the Terminal commands, install the latest version of the Zoom Mac Client and use the new option in the Zoom menu bar to manually uninstall the Zoom client, supposedly including the local web server.

I use the term supposedly because I cannot trust Zoom and will not let Zoom software anywhere near any of my devices, even links to their web site. If possible, manually uninstall everything to do with Zoom software from your devices.

1. In the response to the Terminal command lsof -i :19421 find the string of numbers underneath the text PID. This is the process ID of the Zoom web server.

2. Select the PID number and copy it to the clipboard.

3. On the command line, type:

kill -9

…followed by a space character, and then paste the PID number.

4. Press the return key. This will stop the server emphatically (the -9 option) and specifically (it’s unique ID).

5. Delete Zoom software using the Finder:
a. Select the Go to Folder… command from the Finder’s Go menu.
b. Type ~/.zoomus to view the contents of a hidden folder in your Home folder.*
c. Drag any contents of the .zoomus folder to the Trash.
d. Repeat steps a-through-c to move the following items to the Trash:

Go to Folder ~/Library/Application Support/ and Trash zoom.us
/System/Library/Extensions/ZoomAudioDevice.kext
/Applications/zoom.us.app
~/Applications/zoom.us.app (in case it got installed in your Home folder Applications)

e. Empty the Trash, holding down the Control key if you want the deletion to be permanent.

For the nitty-gritty details, refer to the blog post of the security researcher who discovered this travesty:

…if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage

*As part of its UNIX heritage, the Finder hides any files or folders that start with periods, and if you try making your own it will scold, “You can’t use a name that begins with a dot “.”, because these names are reserved for the system.” The fact that Zoom created a hidden folder in the user’s Home folder is not normal for a consumer-oriented Mac app.

Categories: Macintosh, security, software
  1. No comments yet.
  1. No trackbacks yet.