UPDATE: Apple has sent out a silent security update to Macs to remove software that was automatically installed by RingCentral and Zhumu.
I've already written something about Zoom vulnerabilities (CVE-2019-13576, CVE-2019-13586) in my WeeklyRoundup, but today the security researcher Karan Lyons, has published a new video confirming that the same RCE flaw is exploitable also in RingCentral and Zhumu (a chinese rebrand of Zoom) for macOS users.
The Zoom conferencing app contained a vulnerability that resides in its click-to-join feature, which automatically turns on users' webcam when they visit an invite link and in its local web server running on port 19421 that Zoom client installs to offer this feature.
This local server receives commands over HTTP, allowing any website to interact with it, and it doesn't get uninstalled when users remove the Zoom client from their systems, leaving them vulnerable forever.
With a silent update, Apple pushed a patch that automatically removes the Zoom web server without requiring any user interaction, fixing the flaw.
However, no update has been pushed by Apple to solve the new two security issue.
According to TheHackerNews:
RingCentral has already released an updated version (v7.0.151508.0712) of its meeting app for macOS that patches both vulnerabilities by removing the vulnerable web server installed by the video conferencing software.
As explained in our previous article by Mohit Kumar, Apple released a silent update for its macOS users to remove the Zoom local web server (ZoomOpener daemon) for all users. However, Apple update did not remove the local server installed by RingCentral and Zhumu.
Luckily, Karan Lyons has published a custom procedure for manually remove the vulnerable webserver:
To remove the three currently known daemons manually, run these commands in your Terminal:
rm -rf ~/.zoomus; touch ~/.zoomus && chmod 555 ~/.zoomus; pkill "ZoomOpener" rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 555 ~/.ringcentralopener; pkill "RingCentralOpener" rm -rf ~/.zhumuopener; touch ~/.zhumuopener && chmod 555 ~/.zhumuopener; pkill "ZhumuOpener"
These three commands do the same thing for the three most popular white labels of Zoom (Zoom, RingCentral, and Zhumu). They remove the web server if it exists at the hidden directory , and create an empty file and set permissions on it such that the hidden server cannot be reinstalled back to that location. Finally they kill the server if it is running.