Zoom Desktop Vulnerability for macOS

Update: Apple is now silently pushing out an update to remove the Zoom “hidden feature” so you will be please to know that the geeky removal is no longer necessary. Just make sure you have opted in to all recent updates from Apple, and let it “phone home” for malware updates.

Update 2: It turns out (not entirely unexpectedly) that the little web server that Zoom installs is not only a vulnerability in itself, but it is also vulnerable to exploitation allowing an attacker to do just about everything with your computer that you can.

Update 3: In addition to Zoom, it seems that Bluejeans and Ring Central for Meetings may be licensed copies of Zoom and also install a little “helper” web server. It should be assumed that they are similarly vulnerable.

According to the security researcher who found the vulnerability (warning it gets quite technical quite quickly), when you install Zoom – usually at the last minute before a conference call where it is suggested that you install Zoom to show presentation slides – you open yourself to a vulnerability that allows a rogue web site to open your webcam without notification.

Indeed the vulnerability is still present after the Zoom client is removed in the ordinary way. Zoom apparently in addition to the actual client software also installs a web server to make re-installing the client software easier. On the down side, a malicious web site can redirect requests via that web server.

Not good news!

The current Zoom response amounts to “make sure your web cam is turned off” when inside the Zoom client (‘go into the Zoom settings window and enable the “Turn off my video when joining a meeting” setting.’)

Which doesn’t seem quite adequate.

The currently known fix for removing that hidden web server is unfortunately limited to terminal commands :-

$ sudo lsof -i :19421
{Look for the "PID" of the process listed - which may be nothing}
$ sudo kill PID
{meaning enter the number you used previously}
$ rm -rf ~/.zoomus
{if you want to be ultra cautious you could rename it instead: mv ~/.zoomus ~/that-dodgy-zoom-thing}

In addition you will want to remove the Zoom desktop client in the normal way (drag from the Applications folder to the trash icon).

Whilst this is being actively exploited, the current damage seems to be limited to suddenly finding yourself attached to a conference call with a bunch of random strangers all looking rather startled. Whilst this might sound amusing, this is probably the least of what might result.

This entry was posted in Active Attacks, Technical and tagged . Bookmark the permalink.

Leave a Reply