CIO

Cisco scrambling to fix a remote-code-execution problem in WebEx

There’s no workarounds and no final patch
  • Tim Greene (Network World)
  • 26 January, 2017 00:01

Cisco’s Webex Browser Extension contain a critical bug that can open up customers’ entire computers to remote code execution attacks if the browsers visit websites containing specially crafted malicious code.

The company says it is in the process of correcting the problem, and has apparently made a few initial steps toward a permanent fix. It says there is no workaround available.

+More on Network World: 10 of the latest craziest and scariest things the TSA found on your fellow travelers+

The flaw allows Web sites containing a certain code pattern to open a WebEx session to the browser and “to execute arbitrary code on the affected system, which could be used to conduct further attacks,” according to a Cisco advisory.

The advisory says it has begun to issue software updates to address the problem, but so far the process is not complete.

The vulnerability affects all current, previous, and deprecated versions of the Cisco WebEx browser extensions for Chrome, Firefox, and Internet Explorer for Windows, the advisory says. It does not affect browser extensions for Mac or Linux, nor Cisco WebEx browser extensions for Microsoft Edge.

The best thing to do is remove WebEx software from Windows machines by using the removal tool found here. If it’s necessary to join WebEx meetings, users can do so via Microsoft Edge, which is not vulnerable to the attack.

Customers should monitor the Cisco Advisories and Alerts page here to keep abreast of the latest fixes for this problem.

The WebEx extension for Google Chrome version 1.0.5 contains a fix. To update open Chrome Settings > Extensions > Developer mode > Update extensions now.

The vulnerability was reported here three days ago by Tavis Ormandy of Google’s Project Zero bug-hunting team. He says that a “magic patten” - cwcsf- nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html – contained in a Web site enables it to open a connection to the browser extension. And, he says, “this magic string is enough for any website to execute arbitrary code.”