Cisco scrambling to fix a remote code execution problem in WebEx

There’s no workaround and no final patch for a critical bug that can open up users’ computers to remote code execution attacks

Cisco scrambling to fix a remote-code-execution problem in WebEx

Cisco’s Webex Browser Extension contain a critical bug that can open up customers’ entire computers to remote code execution attacks if the browsers visit websites containing specially crafted malicious code.

The company says it is in the process of correcting the problem, and has apparently made a few initial steps toward a permanent fix. It says there is no workaround available.

The flaw allows websites containing a certain code pattern to open a WebEx session to the browser and “to execute arbitrary code on the affected system, which could be used to conduct further attacks,” according to a Cisco advisory.

The advisory says it has begun to issue software updates to address the problem, but so far the process is not complete.

The vulnerability affects all current, previous, and deprecated versions of the Cisco WebEx browser extensions for Chrome, Firefox, and Internet Explorer for Windows, the advisory says. It does not affect browser extensions for Mac or Linux, nor Cisco WebEx browser extensions for Microsoft Edge.

+More on Network World: 10 of the latest craziest and scariest things the TSA found on your fellow travelers+

The best thing to do is remove WebEx software from Windows machines by using the removal tool found here. If it’s necessary to join WebEx meetings, users can do so via Microsoft Edge, which is not vulnerable to the attack.

Customers should monitor the Cisco Advisories and Alerts page here to keep abreast of the latest fixes for this problem.

The WebEx extension for Google Chrome version 1.0.5 contains a fix. To update open Chrome Settings > Extensions > Developer mode > Update extensions now.

The vulnerability was reported here three days ago by Tavis Ormandy of Google’s Project Zero bug-hunting team. He says that a “magic patten” - cwcsf- nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html – contained in a Web site enables it to open a connection to the browser extension. And, he says, “this magic string is enough for any website to execute arbitrary code.”

This story, "Cisco scrambling to fix a remote code execution problem in WebEx" was originally published by Network World.

Copyright © 2017 IDG Communications, Inc.

How to choose a low-code development platform