Cisco WebEx is a pop communication tool for online events, including meetings, webinars together with video conferences that aid users connect together with collaborate amongst colleagues roughly the world. The extension has roughly xx 1 grand one thousand active users.
Discovered past times Tavis Ormandy of Google Project Zero together with Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect inwards the WebEx browser extension.
To exploit the vulnerability, all an assaulter ask to hit is play a joke on victims into visiting a spider web page containing especially crafted malicious code through the browser amongst affected extension installed.
Successful exploitation of this vulnerability could resultant inwards the assaulter executing arbitrary code amongst the privileges of the affected browser together with gaining command of the affected system.
"I see several problems amongst the means sanitization works, together with accept produced a remote code execution exploit to demonstrate them," Ormandy said. "This extension has over 20M [million] active Chrome users alone, FireFox together with other browsers are probable to live on affected equally well."Cisco has already patched the vulnerability together with released “Cisco WebEx Extension 1.0.12” update for Chrome together with Firefox browsers that address this issue, though "there are no workarounds that address this vulnerability."
"This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, together with Support Center), together with Cisco WebEx Meetings when they are running on Microsoft Windows," Cisco confirmed inwards an advisory released today.
Download Cisco WebEx Extension 1.0.12
In general, users are ever recommended to run all software equally a non-privileged user inwards an endeavour to diminish the effects of a successful attack.
Fortunately, Apple's Safari, Microsoft's Internet Explorer together with Microsoft's Edge are non affected past times this vulnerability.
Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, together with Cisco WebEx on Microsoft Edge or Internet Explorer are non affected past times the vulnerability, the fellowship confirmed.
The remote code execution vulnerability inwards Cisco WebEx extension has been discovered minute fourth dimension inwards this year.
Ormandy alerted the networking giant to an RCE flaw inwards the WebEx browser extension before this twelvemonth equally well, which fifty-fifty led to Google together with Mozilla temporarily removing the improver from their stores.
