{"id":642,"date":"2019-07-10T16:29:59","date_gmt":"2019-07-10T07:29:59","guid":{"rendered":"https:\/\/joel.ingulsrud.net\/blog\/?p=642"},"modified":"2019-07-11T14:28:18","modified_gmt":"2019-07-11T05:28:18","slug":"check-your-mac-for-the-zoom-video-conferencing-vulnerability","status":"publish","type":"post","link":"https:\/\/joel.ingulsrud.net\/blog\/2019\/07\/10\/check-your-mac-for-the-zoom-video-conferencing-vulnerability","title":{"rendered":"Check your Mac for the Zoom Video Conferencing Vulnerability"},"content":{"rendered":"<h3><span style=\"color: #ff0000;\"><strong>UPDATE 2019-07-11:<\/strong><\/span>\u00c2\u00a0Apple <a href=\"https:\/\/techcrunch.com\/2019\/07\/10\/apple-silent-update-zoom-app\/\">has confirmed<\/a> they pushed out a \u00e2\u20ac\u0153silent update\u00e2\u20ac\u009d to remove the offending Zoom server on Macs, the same method they use to deal with malware\u00e2\u20ac\u201dno user interaction needed.<\/h3>\n<p>I&#8217;ll leave my original post in place, but <strong><em>there is no need to follow the manual removal steps detailed below<\/em><\/strong>, thanks to Apple taking the unusual step of treating commercial software in use by millions as malware.<\/p>\n<p><!--more--><\/p>\n<p><em>This security alert reveals such an unconscionable product design\/business ethic failure I will never use or recommend the guilty party\u00e2\u20ac\u2122s products again<\/em>.<\/p>\n<p>If you suspect you may have ever installed video conferencing software from Zoom or Ringcentral on any of your Macs <strong><em>it may very well still be running a web server in the background<\/em><\/strong> that could enable somebody to access the built-in FaceTime camera without your permission.<\/p>\n<p>Open the Terminal app, found in the Utilities folder in the Applications folder on your Mac, and type or copy-and-paste the following command (followed by the return key) to confirm whether Zoom\u00e2\u20ac\u2122s server is running:<\/p>\n<pre>lsof -i :19421<\/pre>\n<p>(The first character is a lower-case L)<\/p>\n<p>If there is no response, you\u00e2\u20ac\u2122re good.<\/p>\n<p>If there is a response in the form of a bunch of technical text and numbers, and you have a critical need to continue using Zoom, they released an emergency fix as of July 9th, 2019, so updating to the latest version will <em>supposedly<\/em> remove the local web server. There will likely be an upgrade prompt when you open the app.<\/p>\n<p>If you don&#8217;t have a critical need to use Zoom, and you are not familiar with or comfortable deleting files using the Terminal commands, install the latest version of the Zoom Mac Client and use the new option in the Zoom menu bar to manually uninstall the Zoom client, <em>supposedly<\/em> including the local web server.<\/p>\n<p>I use the term <em>supposedly<\/em> because I cannot trust Zoom and will not let Zoom software anywhere near any of my devices, even links to their web site. If possible, manually uninstall everything to do with Zoom software from your devices.<\/p>\n<p>1. In the response to the Terminal command <em><strong>lsof -i :19421<\/strong><\/em> find the string of numbers underneath the text <em><strong>PID<\/strong><\/em>. This is the <em>process ID<\/em> of the Zoom web server.<\/p>\n<p>2. Select the PID number and copy it to the clipboard.<\/p>\n<p>3. On the command line, type:<\/p>\n<pre>kill -9<\/pre>\n<p>\u00e2\u20ac\u00a6followed by a space character, and then paste the PID number.<\/p>\n<p>4. Press the return key. This will stop the server\u00c2\u00a0<em>emphatically<\/em> (the -9 option) and <em>specifically<\/em> (it\u00e2\u20ac\u2122s unique ID).<\/p>\n<p>5. Delete Zoom software using the Finder:<br \/>\na. Select the <strong><em>Go to Folder\u00e2\u20ac\u00a6<\/em><\/strong> command from the Finder&#8217;s <strong><em>Go<\/em><\/strong> menu.<br \/>\nb. Type ~\/.zoomus to view the contents of a hidden folder in your Home folder.*<br \/>\nc. Drag any contents of the .zoomus folder to the Trash.<br \/>\nd. Repeat steps a-through-c to move the following items to the Trash:<\/p>\n<pre>Go to Folder ~\/Library\/Application Support\/ and Trash zoom.us<\/pre>\n<pre>\/System\/Library\/Extensions\/ZoomAudioDevice.kext<\/pre>\n<pre>\/Applications\/zoom.us.app<\/pre>\n<pre>~\/Applications\/zoom.us.app (in case it got installed in your Home folder Applications)<\/pre>\n<p>e. Empty the Trash, holding down the Control key if you want the deletion to be permanent.<\/p>\n<p>For the nitty-gritty details, refer to the <a href=\"https:\/\/medium.com\/bugbountywriteup\/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5\">blog post of the security researcher who discovered this travesty<\/a>:<\/p>\n<blockquote><p><em>\u00e2\u20ac\u00a6if you\u00e2\u20ac\u2122ve ever installed the Zoom client and then uninstalled it, <strong>you still have a localhost web server on your machine<\/strong> that will happily re-install the Zoom client for you, <strong>without requiring any user interaction on your behalf besides visiting a webpage<\/strong><\/em><\/p><\/blockquote>\n<p><em>*As part of its UNIX heritage, the Finder hides any files or folders that start with periods, and if you try making your own it will scold, <\/em>\u00e2\u20ac\u0153You can\u00e2\u20ac\u2122t use a name that begins with a dot \u00e2\u20ac\u0153.\u00e2\u20ac\u009d, because these names are reserved for the system<em>.<\/em>\u00e2\u20ac\u009d<em>\u00c2\u00a0The fact that Zoom created a hidden folder in the user&#8217;s Home folder is <strong>not normal<\/strong> for a consumer-oriented Mac app.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you suspect you may have ever installed video conferencing software from Zoom or Ringcentral on any of your Macs it may very well still be running a web server in the background that could enable somebody to access the built-in FaceTime camera without your permission.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[107,106,71],"tags":[],"class_list":["post-642","post","type-post","status-publish","format-standard","hentry","category-macintosh","category-security","category-software"],"_links":{"self":[{"href":"https:\/\/joel.ingulsrud.net\/blog\/wp-json\/wp\/v2\/posts\/642","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/joel.ingulsrud.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/joel.ingulsrud.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/joel.ingulsrud.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/joel.ingulsrud.net\/blog\/wp-json\/wp\/v2\/comments?post=642"}],"version-history":[{"count":7,"href":"https:\/\/joel.ingulsrud.net\/blog\/wp-json\/wp\/v2\/posts\/642\/revisions"}],"predecessor-version":[{"id":650,"href":"https:\/\/joel.ingulsrud.net\/blog\/wp-json\/wp\/v2\/posts\/642\/revisions\/650"}],"wp:attachment":[{"href":"https:\/\/joel.ingulsrud.net\/blog\/wp-json\/wp\/v2\/media?parent=642"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/joel.ingulsrud.net\/blog\/wp-json\/wp\/v2\/categories?post=642"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/joel.ingulsrud.net\/blog\/wp-json\/wp\/v2\/tags?post=642"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}