CERT warns of Cisco WebEx vulnerability

Shutterstock image: open lock.

Cisco has patched its WebEx conferencing plug-ins for Chrome and Firefox because a newly discovered flaw could allow outsiders to take control of a system.

In a July 17 advisory on its website, the company called the vulnerability “critical,” and its “common vulnerability scoring” system gave the bug a 9.6 out of a possible 10 threat score.

The U.S. Computer Emergency Readiness Team also issued a notice concerning Cisco’s security update on July 17, as Cisco issued its advisory.

The bug was originally detected by Project Zero researcher Tavis Ormandy and Divergent Security’s Cris Neckar on July 6. The patch was publicly released on July 17.

“A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system,” Cisco’s notification said. “This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.”

The company said its WebEx browser extensions for Mac or Linux, its WebEx on Microsoft Edge or Internet Explorer, and its WebEx Productivity Tools are not vulnerable.

CERT’s advisory, along with its notification of the available patches, also said the flaw in the Chrome and Firefox browser extensions could be used by a remote user to take control of a system.

Cisco sells Federal Risk and Authorization Management Program-approved web conferencing and hosted collaboration solutions to the federal government.

A company spokeswoman told FCW in an email she couldn’t provide an immediate comment on whether the vulnerability affected those products.  She said, however, that all Chrome and Firefox browser extensions running on Windows are affected, and customers should update immediately.

For most users, the spokeswoman said, the patched versions will automatically install during their next WebEx session, and added that fixed versions are available for systems that need manual updates by an administrator.

For users whose systems don’t allow automatic updates and have not yet been patched by administrators, the security advisory outlines alternate browser options and other security measures for immediate consideration.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.


    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.