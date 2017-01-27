News

Cisco starts patching critical flaw in WebEx browser extension

The vulnerability could allow attackers to remotely execute malicious code on computers

|

Romania Correspondent, IDG News Service |

collaboration public domain
Credit: Pixabay
More like this

Cisco Systems has started to patch a critical vulnerability in its WebEx collaboration and conferencing browser extension that could allow attackers to remotely execute malicious code on computers.

The company released a patched version of the extension -- 1.0.7 -- for Google Chrome on Thursday and is working on similar patches for the Internet Explorer and Mozilla Firefox versions.

The vulnerability was found by Google security researcher Tavis Ormandy and stemmed from the fact that the WebEx extension exposed functionality to any website that had "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html" in its URL or inside an iframe. Some of that WebEx functionality allowed for the execution of arbitrary code on computers.

Cisco tried to fix the problem in version 1.0.5 by restricting the sensitive features only to the *.webex.com or *.webex.com.cn domains. That didn't solve the problem completely because any cross-site scripting (XSS) vulnerability on those domains could be used to bypass the restrictions.

XSS is one of the most common types of vulnerabilities on the web, and webex.com has more than 500 defined subdomains. Chances are high that multiple XSS flaws exist on those websites and, in fact, Ormandy found one and proved a bypass of the initial patch.

Cisco added further restrictions in version 1.0.7 of the WebEx extension that appears to block all known bypass methods.

"It looks like they correctly handle Mac and Windows, and have also added some verification on GpcInitCall/GpcExitCall/etc so that functions have to match a RegEx," Ormandy said. "This looks like a huge improvement."

Ormandy added that he doesn't currently know of any way to defeat the new patch, so users should upgrade to the latest version as soon as possible.

The Chrome WebEx extension alone has around 20 million active users, so the risk of attacks is high, especially since details of this vulnerability have been public for days. IE and Firefox users who have the extension installed should disable it until a fixed version is released for those browsers.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Related:

Lucian Constantin is an IDG News Service correspondent. He writes about information security, privacy, and data protection.

Fix Windows 10 problems with these free Microsoft tools
You Might Like
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.
What Readers Like
Tianhe 2
China reminds Trump that supercomputing is a race

China said it plans to develop a prototype of an exascale supercomputer by the end of this year,...

Chart and image gallery: 30+ free tools for data visualization and analysis

This sortable chart lets you compare dozens of tools for functionality, skill level and more.

Google Keep
Why you should start using Google Keep right away

Services like Keep, Evernote and Microsoft OneNote are often called "note-taking apps." But they've...

BrandPosts
Learn more
Popular Resources
Top Stories
keyboard user security
A.I.-based typing biometrics might be authentication's next big thing

Thanks to advances in artificial intelligence, identifying people based on how they type can now be...

elite slice for meeting rooms
Face-to-face without frustration: The HP Elite Slice for Meeting Rooms

The new HP Elite Slice for Meeting Rooms is a modular, compact Windows system that has been specially...

0548 as 12
The lack of physical buttons on the Samsung Galaxy S8 could be an issue

The Samsung Galaxy S8 probably won't have a physical home button on front. That could be a problem.

samsungunpacked 02
Here’s why President Mark Zuckerberg is such a bad idea

Sure, he is going to visit every state this year. That does not mean he should be President. In some...