CERT warns of Cisco WebEx vulnerability
- By Mark Rockwell
- Jul 18, 2017
Cisco has patched its WebEx conferencing plug-ins for Chrome and Firefox because a newly discovered flaw could allow outsiders to take control of a system.
In a July 17 advisory on its website, the company called the vulnerability “critical,” and its “common vulnerability scoring” system gave the bug a 9.6 out of a possible 10 threat score.
The U.S. Computer Emergency Readiness Team also issued a notice concerning Cisco’s security update on July 17, as Cisco issued its advisory.
The bug was originally detected by Project Zero researcher Tavis Ormandy and Divergent Security’s Cris Neckar on July 6. The patch was publicly released on July 17.
“A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system,” Cisco’s notification said. “This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.”
The company said its WebEx browser extensions for Mac or Linux, its WebEx on Microsoft Edge or Internet Explorer, and its WebEx Productivity Tools are not vulnerable.
CERT’s advisory, along with its notification of the available patches, also said the flaw in the Chrome and Firefox browser extensions could be used by a remote user to take control of a system.
Cisco sells Federal Risk and Authorization Management Program-approved web conferencing and hosted collaboration solutions to the federal government.
A company spokeswoman told FCW in an email she couldn’t provide an immediate comment on whether the vulnerability affected those products. She said, however, that all Chrome and Firefox browser extensions running on Windows are affected, and customers should update immediately.
For most users, the spokeswoman said, the patched versions will automatically install during their next WebEx session, and added that fixed versions are available for systems that need manual updates by an administrator.
For users whose systems don’t allow automatic updates and have not yet been patched by administrators, the security advisory outlines alternate browser options and other security measures for immediate consideration.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.