Skip to content

Instantly share code, notes, and snippets.

@cilindrox
Forked from karanlyons/ZoomDaemon.yara
Created July 11, 2019 12:14
Show Gist options
  • Save cilindrox/c0e9e9f8d62237468e306de62ae150be to your computer and use it in GitHub Desktop.
Save cilindrox/c0e9e9f8d62237468e306de62ae150be to your computer and use it in GitHub Desktop.
Fix for Unexpected Zoom Behavior

If you're using macOS, run these commands:

pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;
pkill "RingCentralOpener"; rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 000 ~/.ringcentralopener;

These two commands do the same thing for the two most popular "brands" of Zoom (Zoom, and RingCentral). They first kill the hidden server if it is running, and then regardless deletes it from its hidden directory if it exists there. Finally they create an empty file and set permissions on it such that the hidden server cannot be reinstalled back to that location. For the current versions of these applications this is sufficient, however it is possible that a later version could subvert this fix.

If you're using Safari on macOS you're now good to go. However if you're using any other browser (even on other operating systems) you may still see a link immediately open Zoom for you. This is not the same vulnerability, and is in fact one you yourself opted into, though you may not have realized it. This will occur if you ever checked a box on a pop-up window for a Zoom meeting link that said something like "Always open these links in Zoom".

Here's how to undo that.

For Chrome:

  1. Navigate to chrome://version/ and find the path listed under "Profile Path".
  2. Quit Chrome, open that directory, and then open the "Preferences" file.
  3. This is a JSON file. Look for the string "zoommtg":false or "zoomrc":false. If it either exist, remove them. If there is a comma immediately after either string, remove it as well.
  4. Save the file.

For Firefox:

  1. Open Firefox's Preferences.
  2. Search for the string zoommtg or zoomrc using "Find in Preferences".
  3. If you see a table with the headers "Content Type" and "Action", find the row labeled zoommtg and/or zoomrc and set the action to "Always ask"

In any case, refrain from checking the box in a modal dialog to opt you back into this behavior in the future. Safari is currently the only known popular browser to not allow you to shoot yourself in the foot this way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment