Additional Zoom remediation from Apple via MRT
Apple had released an MRT update on July 12th to cover the vulnerabilities disclosed for Zoom and RingCentral , but then additional Zoom variants popped up on the radar.
To fix all of the variants, Apple has released another MRT (Malware Removal Tool) update today. This fixes the vulnerabilities found in Zoom and its various white label versions which Zoom developed for third parties:
- Zoom
- RingCentral
- TelusMeetings
- BT Cloud Meetings
- Office Suite HD Meeting
- AT&T Video Meetings
- Biz Conf
- Huihui
- UMeeting
- Zhumu
- Zoom CN
This MRT update has the following version number:
1.46.1.1563225526
The installer package receipt associated with it is the following:
com.apple.pkg.MRTConfigData_10_14.16U4075
To verify that you have this installed, here’s a one-line command to check for the latest installed MRT installer package:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
printf "%s\n" $(pkgutil –pkgs=".*MRT.*") | sort -k1 | tail -1 |
To verify that com.apple.pkg.MRTConfigData_10_14.16U4075 does install 1.46.1.1563225526, here’s a one-line command to get the version number from the latest installed MRT installer package receipt:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pkgutil –pkg-info-plist $(printf "%s\n" $(pkgutil –pkgs=".*MRT.*") | sort -k1 | tail -1) | plutil -extract pkg-version xml1 – -o – | xmllint –xpath 'string(//plist/string)' – |
To assist with getting information like this for Gatekeeper, MRT and XProtect, I’ve written a script that pulls the following information for each:
- Version number
- Installation date
- Installer package receipt identifier
For more information, please see below the jump.
As of Tuesday, July 16 2019, the script below is producing the following output for my Mac running macOS 10.14.5 with the latest MRT update installed:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Gatekeeper version: 172.1.1562957441 | |
Gatekeeper installation date: 07-16-2019 | |
Gatekeeper package receipt identifier: com.apple.pkg.GatekeeperConfigData.16U1824 | |
MRT version: 1.46.1.1563225526 | |
MRT installation date: 07-16-2019 | |
MRT package receipt identifier: com.apple.pkg.MRTConfigData_10_14.16U4075 | |
XProtect version: 2103.1.1556314253 | |
XProtect installation date: 05-02-2019 | |
XProtect package receipt identifier: com.apple.pkg.XProtectPlistConfigData.16U4052 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
VersionAndInstallDate(){ | |
identify_latest_update=$(printf "%s\n" $(pkgutil –pkgs=".*"$package_type".*") | sort -k1 | tail -1) | |
version_info=$(pkgutil –pkg-info-plist "$identify_latest_update" | plutil -extract pkg-version xml1 – -o – | xmllint –xpath 'string(//plist/string)' –) | |
# Read install date and translate it into human-readable output | |
install_date_info=$(/bin/date -r $(pkgutil –pkg-info-plist "$identify_latest_update" | plutil -extract install-time xml1 – -o – | xmllint –xpath 'string(//plist/integer)' – ) '+%m-%d-%Y') | |
echo "$package_type version: $version_info" | |
echo "$package_type installation date: $install_date_info" | |
echo "$package_type package receipt identifier: $identify_latest_update" | |
} | |
package_type="Gatekeeper" | |
VersionAndInstallDate | |
echo "" | |
package_type="MRT" | |
VersionAndInstallDate | |
echo "" | |
package_type="XProtect" | |
VersionAndInstallDate |
Is there a way to force the Mac to check in with Apple to get the updated MRT?
I have several Mac’s online, rebooted several times and they are still below ver 1.45
Looks like Apple pushed another update, the latest is 1.47.1.1563383512
@ Don, check for software updates first