The zoom.us application has a security flaw thanks to a hidden web server that is installed along with the application.
Affects versions of zoom.us below: 4.4.53932.0709
The following patch should also mitigate: https://nvd.nist.gov/vuln/detail/CVE-2019-13450
This threat also affects RingCentral as this is powered by zoom.us
Once installed, zoom.us runs its own web server service. This can be seen from running the following:
This process can be killed and even removed, but you may notice it re-instal. To mitigate this security flaw either:
- Update to version 4.4.53932.0709 or above - removes the zoom.us web service
- Patch your macOS device with MRTConfigData version 1.45 or above - removes the zoom.us web service
Updates may be downloaded from: https://zoom.us/download
This page also hosts a download for managed deployment, labelled "Download for IT Admin". With the use of a pre-configured supporting file, the software may be configured during installation:
As such, it should be possible to preset the video to be off, for example.
- Key: ZDisableVideo
- Type: Boolean
- Value: True
However, it appears that although the configuration plist file is placed in /Library/Preferences/, editing this file has no affect on the shown preference once the software is installed. As such, consider re-isnstalling the software with this supporting file.
Apple have re-acted to this and have provided an update to their Malware Removal Tool. Allowing this tool to update to version 1.45 or higher will remove the web service part of zoom.us if it exists.
If devices are already configured to "Install system data files and security updates" then this should instal automatically.
However, if this option is disabled, FileWave is able to push the update as a Software Update Fileset. Searching for MRTConfigData should show version 1.45 (041-84505)
It may be prudent to monitor the use of the software and devices to ensure they are protected.
FileWave already stores Application versions by default. It is therefore possible to create an Inventory Query to show installations of zoom.us:
However, to report on the version of MRTConfigData would require a Custom Field which could be based upon: