hoakley July 10, 2019 Macs, Technology

Apple has pushed an update to MRT to remove Zoom’s hidden web server

Apple has just pushed an update to its malware removal tool, MRT, for macOS, bringing its version number to 1.45. The last version pushed to Macs was 1.42, although some users of beta releases may have seen 1.43 instead. Apple doesn’t appear to have pushed any version 1.44.

According to information given to TechCrunch this evening, Apple says that this update removes the hidden web server installed by previous versions of the Zoom client. If this is the case, it is the first known deployment of MRT to remove a vulnerable product like this, rather than malware. However, TechCrunch doesn’t mention the use of MRT.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by LockRattler and SystHist for El Capitan, Sierra, High Sierra and Mojave, available from Downloads above. If your Mac has not yet installed this update, you can force an update using LockRattler, or at the command line.

If you’re using EFIcienC 1.0b2, this update should show up now and you will be offered the chance to download and install the update. Note that after that, you will need to quit the app and open it again to see the updated version and confirm that it has been correctly installed.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.

Postscript (0935 UTC 11 July 2019):

According to @ClassicII_MrMac via Patrick Wardle, this new version of MRT also covers an issue in what appears to be the open source virtualiser QEMU, although it’s not clear what it does when it finds it. Perhaps there is an infected/malware version of that app in circulation?

1810 UTC 11 July 2019:

Excellent discussion of the issues involved is at the TidBITS site. If you’re affected by this, or concerned about other similar products, I recommend that you read that article.

19Comments

Add yours

1

Apple Uses Its Malware Removal Tool to Block Vulnerable Versions of Zoom and Its Hidden Local Server — Pixel Envy on July 11, 2019 at 12:49 am

[…] Howard Oakley: […]

LikeLike
2

Tristan Hubsch on July 11, 2019 at 12:56 am

Hi,

This is the first time I tried to update my system with EFIcienC.

At first, it reported MRT 1.42; I chose to update, the “check” again… and get the following conflicting reading:

Green arrow = agreement, red arrows = contradiction.

Cheers, Tristan

>

LikeLiked by 1 person
- 3
  
  hoakley on July 11, 2019 at 6:03 am
  
  Thanks, Tristan – I did explain this above. It’s because of an issue in macOS which won’t return correctly updated bundle versions, presumably due to caching. I have long tried to find a way around it, but so far not been able to address this. EFIcienC does actually report the updates occurring in the scrolling text view, but can’t reflect them in the boxes above, sadly.
  Howard.
  
  LikeLike
4

Tristan Hubsch on July 11, 2019 at 12:57 am

PS.

Quitting EFIcienC, and reopening it corrects the reading:

Cheers, Tristan

>

LikeLiked by 1 person
5

El Pablo on July 11, 2019 at 5:51 am

Can you please tell me the difference between using the command:

“sudo softwareupdate –background-critical”

opposed to:

“softwareupdate -ia –include-config-data”?

Many thanks!

LikeLiked by 1 person
- 6
  
  hoakley on July 11, 2019 at 6:01 am
  
  These are detailed in the LockRattler Help book.
  The first command runs the update as a background process. Experience is that sometime in the next 10 minutes or so, updates will be downloaded and installed.
  The second command gets all outstanding updates immediately – the only wait is for the server connection. It should happen straight away, and complete as quickly as possible. Generally, it’s the more reliable and preferred.
  I hope that helps.
  Howard.
  
  LikeLike
  - 7
    
    El Pablo on July 11, 2019 at 6:07 am
    
    Thanks for your quick response!
    
    No sure why you would ever want to run the background command opposed to the other command which is immediate?
    
    LikeLiked by 1 person
    - 8
      
      hoakley on July 11, 2019 at 7:52 am
      
      I agree but LockRattler gives you the choice.
      Howard
      
      LikeLike
9

El Pablo on July 11, 2019 at 8:18 am

Has anyone installed the MRT update with an older version of Zoom and verified it actually removes the web server?

LikeLiked by 1 person
- 10
  
  hoakley on July 11, 2019 at 9:29 am
  
  Maybe Apple and Zoom? It appears in the code of this new version of MRT, according to experts like Patrick Wardle, although it does appear to have been obfuscated.
  Howard.
  
  LikeLike
- 11
  
  hoakley on July 11, 2019 at 4:56 pm
  
  A can now confirm that this MRT update does remove the Zoom web server – independently tested by many now!
  However, you have to restart (or run MRT) after installing the update for it to work.
  Howard.
  
  LikeLike
  - 12
    
    El Pablo on July 11, 2019 at 9:01 pm
    
    Thanks for the info!
    
    When will MRT run if a user doesn’t restart or automatically invoke the scan?
    
    LikeLiked by 1 person
    - 13
      
      hoakley on July 11, 2019 at 9:43 pm
      
      I have a more detailed article coming in the morning (0630 UTC 12 July), but if you don’t restart, the only option is to run MRT manually using
      /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a
      You may wish to read tomorrow’s article before doing this, though.
      It’s so good that Apple documents all this – not.
      Howard.
      
      LikeLike
14

Zoom and RingCentral Exploits Allow Remote Webcam Access - TidBITS on July 11, 2019 at 3:50 pm

[…] first, and look for MRTConfigData, which should be at version 1.45 or above. (Hat tip to Howard Oakley for that […]

LikeLike
15

Zoom and RingCentral Exploits Allow Remote Webcam Access – The I phone 5 se news on July 12, 2019 at 4:58 am

[…] first, and look for MRTConfigData, which should be at version 1.45 or above. (Hat tip to Howard Oakley for that […]

LikeLike
16

Rodney Peel on July 12, 2019 at 11:08 am

Version 1.45 of MRT was installed on my system yesterday, the 11th (I have long had Software Updates set to automatic in System Preferences) and the latest version of Zoom, version: 4.4.4 (53932.0709) is also installed. However, as the TidBits article you link to makes clear, it’s still possible to be drawn into joining a Zoom meeting even with the hidden web server ~/.zoom.us removed. On clicking the second of the two ‘How to tell if you’re affected’ links in the TidBits article, I am asked by Safari ‘Do you want to allow this page to open “zoom.us.app”‘? If I click ‘Allow’, Zoom launches and I am taken to a proof of concept shared screen. I haven’t checked this in Chrome or Firefox, but, regardless, it shows the vulnerability is not yet properly fixed.

LikeLiked by 1 person
- 17
  
  hoakley on July 12, 2019 at 12:22 pm
  
  Thank you. I think that it’s even worse than that, and that the fallout from this will continue.
  However, for users who don’t use Zoom, the MRT update does clear away the remains of any previous installation, and leave your Mac as it was before.
  I’m still not sure that I’d want to use Zoom 4.4.4, though.
  Howard.
  
  LikeLike
- 18
  
  El Pablo on July 12, 2019 at 4:07 pm
  
  If you get prompted to allow opposed to auto joining the meeting then everything is patched.
  
  Zoom had set up the web server so people didn’t have to accept to join a meeting when using Safari. Ultimately you still had a click a link and you wouldn’t be prompted to join but would see Zoom open and the traffic was still going over Zoom servers.
  
  LikeLike
19

Zoom Vulnerably Round 2! 10 more variants. Index of MRT Links & Info on July 18, 2019 at 7:02 am

[…] Apple has pushed an update to MRT to remove Zoom’s hidden web server […]

LikeLike

·Comments are closed.

Share this:

Related