As part of the Zoom vulnerability issue, further problems have been discovered as security researchers look into the local webserver installed by older versions of the Zoom app for macOS.
RCE Alert!
That @zoom_us daemon (hidden web server) is now known to have a Remote Code Execution Vulnerability!
Proof of concepts exist!
Mac Admins: make sure Zoom is up to date or that daemon is removed!
This vulnerability is now tracked under:
CVE-2019-13567 https://t.co/FxkGzYhhFD— Jonathan Leitschuh (@JLLeitschuh) July 11, 2019
RCE Alert! Apple has moved quickly and released an update to MRT (Malware Removal Tool) which addresses the issue by removing the local webserver. This update has the following version number:
1.45.1.1562731315
The installer package receipt associated with it is the following:
com.apple.pkg.MRTConfigData_10_14.16U4071
To verify that you have this installed, here’s a one-line command to check for the latest installed MRT installer package:
To verify that com.apple.pkg.MRTConfigData_10_14.16U4071 does install 1.45.1.1562731315, here’s a one-line command to get the version number from the latest installed MRT installer package receipt:
To assist with getting information like this for Gatekeeper, MRT and XProtect, I’ve written a script that pulls the following information for each:
- Version number
- Installation date
- Installer package receipt identifier
For more information, please see below the jump.
As of Friday, July 12 2019, the script below is producing the following output for my Mac running macOS 10.14.5 with the latest MRT update installed: