Critical code execution flaw found in Cisco’s WebEx extension

Why it issues to you

This concern exhibits that even the most important, most tech-savvy corporations can simply fall foul of safety vulnerabilities.

A Google Chrome browser extension with a consumer base of 20 million has been up to date to patch a critical safety vulnerability that made it potential to run malicious code with a minimal of effort. Customers of the Cisco Methods WebEx extension are inspired to make it possible for they’ve up to date to model 1.zero.three.

The difficulty was found by safety researcher Tavis Ormandy, who alerted the corporate privately earlier than publishing a blog post discussing the state of affairs. Ormandy is a member of Undertaking Zero, a group assembled by Google to seek out zero-day vulnerabilities.

WebEx makes use of a sixty four-character string to remotely begin a gathering on a PC with the extension put in. This string merely must be included within the URL of a file or useful resource hosted by an internet site — it could actually even be tucked away in a HTML-based mostly iframe tab, making it harder to detect.

Extra: Hackers hit Sundance Film Festival

Ormandy discovered that this string could possibly be used for far more than simply initializing a WebEx session. Malicious entities might run any code or command they appreciated on one other consumer’s system, just by having them go to a website that contained this string whereas utilizing the Chrome browser with the WebEx extension operating.

This specific vulnerability had the potential to be catastrophic, provided that it focused a service that’s generally utilized in an enterprise setting. Safety researcher Martijn Grooten famous that the exploit might have brought on chaos if it have been mixed with a ransomware assault, commenting on the state of affairs in a report by Ars Technica.

Sadly, there are nonetheless some lingering worries concerning the safety of the extension. Particularly, there are considerations that attackers would be capable of reap the benefits of the hole in its safety if Cisco’s WebEx web site was to endure a cross-website scripting vulnerability.

For now, one of the best recourse is to make sure that all installations of the WebEx extension have been up to date to model 1.zero.three. This patch ought to have utilized routinely, however customers can verify for themselves by accessing the Extensions menu in Chrome.

Leave a Reply

Your email address will not be published. Required fields are marked *