Apple has pushed an update to MRT to remove Zoom’s hidden web server

Apple has just pushed an update to its malware removal tool, MRT, for macOS, bringing its version number to 1.45. The last version pushed to Macs was 1.42, although some users of beta releases may have seen 1.43 instead. Apple doesn’t appear to have pushed any version 1.44.

According to information given to TechCrunch this evening, Apple says that this update removes the hidden web server installed by previous versions of the Zoom client. If this is the case, it is the first known deployment of MRT to remove a vulnerable product like this, rather than malware. However, TechCrunch doesn’t mention the use of MRT.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by LockRattler and SystHist for El Capitan, Sierra, High Sierra and Mojave, available from Downloads above. If your Mac has not yet installed this update, you can force an update using LockRattler, or at the command line.

If you’re using EFIcienC 1.0b2, this update should show up now and you will be offered the chance to download and install the update. Note that after that, you will need to quit the app and open it again to see the updated version and confirm that it has been correctly installed.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.

Postscript (0935 UTC 11 July 2019):

According to @ClassicII_MrMac via Patrick Wardle, this new version of MRT also covers an issue in what appears to be the open source virtualiser QEMU, although it’s not clear what it does when it finds it. Perhaps there is an infected/malware version of that app in circulation?

1810 UTC 11 July 2019:

Excellent discussion of the issues involved is at the TidBITS site. If you’re affected by this, or concerned about other similar products, I recommend that you read that article.