Zoom and RingCentral Exploits Allow Remote Webcam Access

Or in case, for some unfathomable reason, people are reluctant to download and install yet more software from these known purveyors of malware.

Fool me once…

Now Apple has joined in on the fun, releasing a silent update to kill the Zoom Web server. I’ve updated the article again to reflect that.

I’ve updated the article AGAIN to add more information about the stealth Apple update, and to add instructions from Karan Lyons on how to mitigate the vulnerability in Chrome and Firefox. Really, I just advise updating the Zoom client and uninstalling it entirely, it’ll save you a lot of trouble.

While the second of Leitschuh’s proof of concept links works and dumps me into the conference (audio/video initially both off as set in prefs), the first link just leads me to a page with broken image link. :confused:

Apple has released a second silent update to address vulnerabilities in RingCentral and Zhumu, the Chinese version of Zoom.

And with Zoom already showing incredibly poor judgment, we advise uninstalling the client unless you absolutely need it.

Just wondering, what app would you suggest for duplicating Zoom’s functionality?

Howard Oakley has penned a nice article about how to check that Zoom is really gone.

Since I read your article, I’ve been checking the System Information app’s “Installations” list, but the “MRTConfigData” item still says “1.28, 2018/01/27, 15:59.”
This morning (Japan time) I installed Security Update 2019-004 into my iMac’s High Sierra 10.3.6, but System Information still says the same thing about MRTConfigData.

I searched for files that has the text string “METConfigData” in the name, and EasyFind found two files named com.apple.pkg.MRTConfigData…, one ending with".plist", and another ending with “.bom”, and both are in /System/Library/Receipts, and are dated 2018/01/27, 15:59.

Howard Oakley’s page says High Sierra should have MRT Config Data version 1.47, 18 July 2019, but my iMac’s High Sierra system doesn’t have that! It says only version 1.28 of January 2018.

However, there is an application named “MRT” in /System/Library/CoreServices, and its last modified date is today, July 23, 2019, 9:50 AM (Japan time), that was when Security Update 2019-004 was being installed.

That would seem to indicate to me that you don’t have your System Preferences properly configured to receive updates. Go to System Preferences->App Store and make sure you have checked both the “Automatically check for updates” and “Install system data files and security updates” enabled. The security updates mentioned here are not the same as the update you manually installed today, rather they are critical background (silent) installs.

System Information only shows you the dates when a particular package is installed, so it will show you that Security Update 2019-004 was installed, but not the individual components like MRT.

Yes, you have been looking in the wrong place for your current version number. That app is what was installed with the Security Update, so you are now fully up-to-date. There is a Terminal command you can use to see what version you have, but a much easier way is to download Howard Oakley’s SilentKnight or LockRattler app from https://eclecticlight.co/lockrattler-systhist/ and run it when you hear there has been an update.

1 Like

Hi Al, thank you for your message.

That would seem to indicate to me that you don’t have your System Preferences properly configured to receive updates. Go to System Preferences->App Store and make sure you have checked both the “Automatically check for updates” and “Install system data files and security updates” enabled.

Yes. I’ve checked System Preferences’ App Store tab right now, and the settings are indeed set as you said.

Yes, you have been looking in the wrong place for your current version number. That app is what was installed with the Security Update, so you are now fully up-to-date.

Finder says that the version number of the MRT application (currently in my //System/Library/CoreServices) is 1.35 (created on June 14, 2018, 9:02, and modified today, at 9:50.

Howard Oakley’s SilentKnight app (version 1.1 (2)) complains Gatekeeper is version 135 which should be 173, and MRT is version 1.35 which should be 1.47.

So, my question is: why did Apple fail to update those versions? Security Update 2019-004 certainly updated my system this morning (and did modify the MRT app), and why didn’t it make them “up to date”?

I was in Mojave, so had to reboot to High Sierra to figure out what was going on.

I am able to verify that the version of MRT that comes with Security Update 2019-004 for Sierra is 1.35, and since you had an older version before, it was updated. I have no idea why Apple chose not to include the latest versions. They have a special package included with each update designed to do exactly that. There are several projects that are managed by individual development teams that operate independently of the main macOS engineering team. Examples are Safari, iTunes, MRT, Gatekeeper, XProtect, etc. A separate package called “FullBundleUpdate.pkg” is part of each update with the intent of gathering those disparate items into the update. Again, I don’t know that this was an error or there was some underlying reason for using an older version. I can tell you that it’s not at all unusual as I see it with just about every update.

In my case, I already had version 1.47 and the installer was smart enough not to downgrade it, but I’ve seen that in the past, as well.

What should happen in your case is that within 24 hours, the system should check and bring any of those “system data files and security updates” up to date in the background, as long as your Mac is awake and you are logged in. But judging from what you’ve observed, that probably isn’t going to happen. There is almost certainly something systemically wrong with your setup, but I have no idea what it might be.

So you can either wait 24 hours while logged into your computer to see if the updates take place or if you don’t feel you can wait, use SilentKnight, since you already have it, and if it shows “updates available” for Gatekeeper and MRT, click the “Install all updates” button and be done with it…for now.

1 Like

A post was split to a new topic: Recording audio from Zoom calls

This morning (Japan Time), after seeing Agen’s TidBITS Talk message, I let the App Stare app install a newly released
“Security Update 2019-004 High Sierra 10.13.6”, on my iMac running macOS High Sierra 10.13.6.

A week ago, I let it install “Security Update 2019-004”, which updated my iMac to High Sierra 10.13.6 (17G8029).
This morning, after the new update, my iMac says it’s running High Sierra 10.13.6 (17G8030).

Safari was not touched this morning - it had been updated to Safari 12.1.2 (13607.3.10) last week.

According to Howard Oakley’s SilentKnight, even after the new Security Update this morning,
Gatekeeper is still version 135 which should be 173, and MRT is still version 1.35 which should be 1.47.
So, it looks like Apple is still thinking version 1.35 of MRT/Gatekeeper is enough for macOS High Sierra 10.13.6.

P.S.: About an hour ago, I sent this message using a wrong method to Post. Sorry Adam, please disregard the message of mine an hour ago (7:55 AM Japan time), and use this message instead. Mark (Masatsugu) Nagata

It may take up to 24-hours before these background updates occur and your Mac needs to be awake and logged in at the time. I can assure you that SilentKnight is correct in what it is telling you, in that my Gatekeeper and MRT have been updated to the latest versions for Sierra, High Sierra and Mojave. If you don’t receive those updates by this time tomorrow I recommend you use the features of SilentKnight to force the installation of those updates.

Thanks for your suggestion, Al. My iMac was indeed at least 30 hours awake (using the “Disable Screen Saver” screen hot corner overnight) after I saw your message last week, but the situation didn’t change. I think I will wait for Apple to recognize the thing (or rather, will see if/when Apple does it) - I have never used the FaceTime camera anyway, for any kind of communication with the outside world.

If by “Apple” you are referring to macOS, then since it hasn’t noticed by now (and indeed for a very long time according to your earlier observations) it will never happen. If you don’t use SilentKnight to update those two processes, it won’t happen until the next Security Update for High Sierra is released. Again, I must surmise you have a systemic issue of some sort with properly receiving background updates.

Neither MRT nor Gatekeeper have anything to do with your FaceTime camera. That was patched by the Security Update.

MRT removes any accidentally installed malware.

Gatekeeper makes certain that you don’t download anything from the Internet that violates your AppStore settings with respect to signing, causes XProtect to check for a malware installer and to prevent the launch of any app or process who’s DeveloperID has been revoked.

How could we find out / troubleshoot the “systemic issue of some sort with properly receiving background updates”? To me, that’s the central point in this case.

Sorry, but I’ve already covered all the troubleshooting knowledge I have and I’ve been looking into these things ever since I became aware of these updates over eight years ago when XProtect was introduced into OS X 10.6.7. I’ve submitted numerous problem reports to Apple Security when an update failed for me, some of which were eventually fixed. I still have a nagging issue with incomplete App Store updates to Sierra and have found a workaround for that. Unfortunately, that one won’t work for you.

You might be able to detect what is going wrong by using a combination of a Terminal command followed by analysis of your install.log, but that’s probably a long shot, depending on your expertise in that area and the ability of that log to provide useful diagnostic information.

Your situation is unusual, but not totally unheard of. My only suggestions in these cases has been to erase the drive, reinstall the OS with no migration then re-install all apps from source, Finder copy needed user documents and reset all preferences. As far as I know, nobody was willing to take such drastic steps, so I can’t guarantee that even those steps would do the trick.

Still wondering.

Skype, Google Hangouts, or FaceTime, to name a few.