Massive security vulnerabilities in Zoom on Mac


#1

Hey everyone,

there’s a massive security hole in the Zoom client/installations on all of our Macs that isn’t fixed to this day.

Here’s an article that gives a report of what’s going on: https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

You can patch yourself for now by scrolling down to the “Patch yourself” section and follow the steps described there. For non-developers, if this looks sketchy to you, feel free to reach out, I’m happy to support there.

The steps are:

  1. Turn off setting to automatically turn on camera when joining Zoom meeting (Start Zoom, Settings, Video, uncheck “Turn on my video when joining meeting”. Alternatively, you can run this inside of a terminal of your choice:
sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
  1. Shut down local webserver installed and run by Zoom. This one even exists if you’ve ever uninstalled Zoom. Run the following in your terminal:
lsof -i :19421

^ This will output a PID. Then run:

kill -9 [PID]
  1. Remove ~/.zoomus directory (This can destroy your system, if you don’t feel comfortable running this command, you can open your home directory, show hidden files, and remove the .zoomus folder from there):
rm -rf ~/.zoomus
touch ~/.zoomus

Please act ASAP.

/cc @petty


#2

I just changed this in the admin settings
02


#3

QQ - do we uncheck (i.e. to turn on video when entering the meeting) or check (to turn off video)?


#4

Do you have a non-admin client as well?

You can/should still turn this off for yourself when joining other meetings (where you aren’t the host/admin).

IOW: you still want to go through the steps described above.


#5

Sorry this was a typo. It should say “Turn on my video when joining meeting” and you want that to be unchecked.


#6

Updated the post. Sorry for the confusion.


#7

I love that you beat me to doing this.