CERT warns of Cisco WebEx vulnerability

Shutterstock image: open lock.

Cisco has patched its WebEx conferencing plug-ins for Chrome and Firefox because a newly discovered flaw could allow outsiders to take control of a system.

In a July 17 advisory on its website, the company called the vulnerability “critical,” and its “common vulnerability scoring” system gave the bug a 9.6 out of a possible 10 threat score.

The U.S. Computer Emergency Readiness Team also issued a notice concerning Cisco’s security update on July 17, as Cisco issued its advisory.

The bug was originally detected by Project Zero researcher Tavis Ormandy and Divergent Security’s Cris Neckar on July 6. The patch was publicly released on July 17.

“A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system,” Cisco’s notification said. “This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.”

The company said its WebEx browser extensions for Mac or Linux, its WebEx on Microsoft Edge or Internet Explorer, and its WebEx Productivity Tools are not vulnerable.

CERT’s advisory, along with its notification of the available patches, also said the flaw in the Chrome and Firefox browser extensions could be used by a remote user to take control of a system.

Cisco sells Federal Risk and Authorization Management Program-approved web conferencing and hosted collaboration solutions to the federal government.

A company spokeswoman told FCW in an email she couldn’t provide an immediate comment on whether the vulnerability affected those products.  She said, however, that all Chrome and Firefox browser extensions running on Windows are affected, and customers should update immediately.

For most users, the spokeswoman said, the patched versions will automatically install during their next WebEx session, and added that fixed versions are available for systems that need manual updates by an administrator.

For users whose systems don’t allow automatic updates and have not yet been patched by administrators, the security advisory outlines alternate browser options and other security measures for immediate consideration.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • People
    Federal 100 logo

    Announcing the 2021 Federal 100 Award winners

    Meet the women and men being honored for their exceptional contributions to federal IT.

  • Comment
    Diverse Workforce (Image: Shutterstock)

    Who cares if you wear a hoodie or a suit? It’s the mission that matters most

    Responding to Steve Kelman's recent blog post, Alan Thomas shares the inside story on 18F's evolution.

Stay Connected