(Subscribe to this gist for any updates as we get them.)
If you're using macOS, Apple has pushed an update that will remove the 14 known web servers for you. To check if you already have it:
/usr/bin/defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString
If the latest version you have installed is
1.47, you should be secure against the
vulnerability in these applications. If necessary, you may run an MRT scan yourself:
sudo /System/Library/CoreServices/MRT.app/Contents/MacOS/mrt -a
If your latest version is for some reason out of date, you can force an update of MRTConfigData:
softwareupdate --list --include-config-data
- Find any and all
MRTConfigDatarelated updates (such as
MRTConfigData_10_14-1.47), and install them with
softwareupdate -i [package_name] --include-config-data
- Force an install of all available updates:
softwareupdate -ia --include-config-data
The latest versions of both Zoom and RingCentral will also remove the servers themselves, so if you still have either application installed, check to be sure it's up to date.
To remove all the known daemons manually, run these commands in your Terminal:
# Removed by MRT 1.45 rm -rf ~/.zoomus; touch ~/.zoomus && chmod 555 ~/.zoomus; pkill "ZoomOpener" # Removed by MRT 1.46 rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 555 ~/.ringcentralopener; pkill "RingCentralOpener" rm -rf ~/.telusmeetingsopener; touch ~/.telusmeetingsopener && chmod 555 ~/.telusmeetingsopener; pkill "TelusMeetingsOpener" rm -rf ~/.btcloudphonemeetingsopener; touch ~/.btcloudphonemeetingsopener && chmod 555 ~/.btcloudphonemeetingsopener; pkill "BTCloudPhoneMeetingsOpener" rm -rf ~/.officesuitehdmeetingopener; touch ~/.officesuitehdmeetingopener && chmod 555 ~/.officesuitehdmeetingopener; pkill "OfficeSuiteHDMeetingOpener" rm -rf ~/.attvideomeetingsopener; touch ~/.attvideomeetingsopener && chmod 555 ~/.attvideomeetingsopener; pkill "ATTVideoMeetingsOpener" rm -rf ~/.bizconfopener; touch ~/.bizconfopener && chmod 555 ~/.bizconfopener; pkill "BizConfOpener" rm -rf ~/.huihuiopener; touch ~/.huihuiopener && chmod 555 ~/.huihuiopener; pkill "HuihuiOpener" rm -rf ~/.umeetingopener; touch ~/.umeetingopener && chmod 555 ~/.umeetingopener; pkill "UMeetingOpener" rm -rf ~/.zhumuopener; touch ~/.zhumuopener && chmod 555 ~/.zhumuopener; pkill "ZhumuOpener" rm -rf ~/.zoomcnopener; touch ~/.zoomcnopener && chmod 555 ~/.zoomcnopener; pkill "ZoomCNOpener" # Removed by MRT 1.47 rm -rf ~/.accessionmeetingopener; touch ~/.accessionmeetingopener && chmod 555 ~/.accessionmeetingopener; pkill "AccessionMeetingOpener" rm -rf ~/.videoconferenciatelmexopener; touch ~/.videoconferenciatelmexopener && chmod 555 ~/.videoconferenciatelmexopener; pkill "VideoConferenciaTelmexOpener" rm -rf ~/.earthlinkmeetingroomopener; touch ~/.earthlinkmeetingroomopener && chmod 555 ~/.earthlinkmeetingroomopener; pkill "EarthLinkMeetingRoomOpener"
These commands do the same thing for each of the known white labels of Zoom. They remove the web server if it exists at the hidden directory, and create an empty file and set permissions on it such that the hidden server cannot be reinstalled back to that location. Finally they kill the server if it is running.
If you're using Safari on macOS you're now good to go. However if you're using any other browser (even on other operating systems) you may still see a link immediately open Zoom (or another app) for you. This is not the same vulnerability (no RCE), and is in fact one you yourself opted into, though you may not have realized it. This will occur if you ever checked a box on a pop-up window for a Zoom meeting link that said something like "Always open these links in Zoom".
Here's how to undo that.
- Navigate to chrome://version/ and find the path listed under "Profile Path".
- Quit Chrome, open that directory, and then open the "Preferences" file.
- This is a JSON file. Look for the strings similar to
"zhumu":false, or whatever likely coincides with your white labelled application. If either exist, remove them. If there is a comma immediately after either string, remove it as well.
- Save the file.
- Open Firefox's Preferences.
- Search for the string
Applicationsusing "Find in Preferences".
- If you see a table with the headers "Content Type" and "Action", find the rows labeled
zhumu, or whatever likely coincides with your white labelled application. If any exist, set their action to "Always ask"
In any case, refrain from checking the box in a modal dialog to opt you back into this behavior in the future. Safari is currently the only known popular browser to not allow you to shoot yourself in the foot this way.
If you are aware of any other rebranded Zoom applications not covered here, please let me know.
Running something like
lsof +c 15 -i :19400-19500 (look for any
FooOpeners) or using
the below yara rules may find more. If you find any not in this list, please
email, tweet, or
call me so we can investigate it further.