Cisco starts patching critical flaw in WebEx browser extension

The vulnerability could allow attackers to remotely execute malicious code on computers

Cisco Systems has started to patch a critical vulnerability in its WebEx collaboration and conferencing browser extension that could allow attackers to remotely execute malicious code on computers.

The company released a patched version of the extension -- 1.0.7 -- for Google Chrome on Thursday and is working on similar patches for the Internet Explorer and Mozilla Firefox versions.

The vulnerability was found by Google security researcher Tavis Ormandy and stemmed from the fact that the WebEx extension exposed functionality to any website that had "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html" in its URL or inside an iframe. Some of that WebEx functionality allowed for the execution of arbitrary code on computers.

Cisco tried to fix the problem in version 1.0.5 by restricting the sensitive features only to the *.webex.com or *.webex.com.cn domains. That didn't solve the problem completely because any cross-site scripting (XSS) vulnerability on those domains could be used to bypass the restrictions.

XSS is one of the most common types of vulnerabilities on the web and webex.com has more than 500 defined subdomains. Chances are high that multiple XSS flaws exist those websites and, in fact, Ormandy found one and proved a bypass of the initial patch.

Cisco added further restrictions in version 1.0.7 of the WebEx extension that appears to block all known bypass methods.

"It looks like they correctly handle Mac and Windows, and have also added some verification on GpcInitCall/GpcExitCall/etc so that functions have to match a RegEx," Ormandy said. "This looks like a huge improvement."

Ormandy added that he doesn't currently know of any way to defeat the new patch, so users should upgrade to the latest version as soon as possible.

The Chrome WebEx extension alone has around 20 million active users, so the risk of attacks is high, especially since details of this vulnerability have been public for days. IE and Firefox users who have the extension installed should disable it until a fixed version is released for those browsers.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?