Asia's Source for Enterprise Network Knowledge

Monday, March 27th, 2017

Security

Cisco scrambling to fix a remote-code-execution problem in WebEx

Cisco’s Webex Browser Extension contain a critical bug that can open up customers’ entire computers to remote code execution attacks if the browsers visit websites containing specially crafted malicious code.

The company says it is in the process of correcting the problem, and has apparently made a few initial steps toward a permanent fix. It says there is no workaround available.

The flaw allows Web sites containing a certain code pattern to open a WebEx session to the browser and “to execute arbitrary code on the affected system, which could be used to conduct further attacks,” according to a Cisco advisory.

The Cisco advisory has added a fuller description of the problem:

"A vulnerability in Cisco WebEx browser extensions could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Meetings Center when they are running on Microsoft Windows.

"The vulnerability is due to a design defect in an application programing interface (API) response parser within the plugin. An attacker that can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser.

"Version 1.0.5 of the Cisco WebEx Plugin for Chrome did not fully remediate the vulnerability and a new update is being prepared."

The advisory says it has begun to issue software updates to address the problem, but so far the process is not complete.

The vulnerability affects all current, previous, and deprecated versions of the Cisco WebEx browser extensions for Chrome, Firefox, and Internet Explorer for Windows, the advisory says. It does not affect browser extensions for Mac or Linux, nor Cisco WebEx browser extensions for Microsoft Edge.

The best thing to do is remove WebEx software from Windows machines by using the removal tool found here. If it’s necessary to join WebEx meetings, users can do so via Microsoft Edge, which is not vulnerable to the attack.

Customers should monitor the Cisco Advisories and Alerts page here to keep abreast of the latest fixes for this problem.

The WebEx extension for Google Chrome version 1.0.5 contains a fix. To update open Chrome Settings > Extensions > Developer mode > Update extensions now.

The vulnerability was reported here three days ago by Tavis Ormandy of Google’s Project Zero bug-hunting team. He says that a “magic patten” - cwcsf- nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html – contained in a Web site enables it to open a connection to the browser extension. And, he says, “this magic string is enough for any website to execute arbitrary code.”