Cisco is fixing a vulnerability in the Cisco WebEx browser extensions could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
Attackers can exploit the Chrome vulnerability for malicious remote code execution.
The vulnerability ended up discovered by Google bug hunter Tavis Ormandy.
“The extension works on any URL that contains the magic pattern ‘cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html’, which can be extracted from the extensions manifest,” Ormandy said in a blog post.
“Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough.”
The vulnerability is due to the use of a crafted pattern by the affected software, Cisco said in an advisory. An attacker could exploit this vulnerability by directing a user to a web page that contains the crafted pattern and starting a WebEx session. The WebEx session could allow the attacker to execute arbitrary code on the affected system, which could be used to conduct further attacks.
The vulnerability affects all current, previous, and deprecated versions of the Cisco WebEx browser extensions for Chrome, Firefox, and Internet Explorer for Windows, Cisco said.
Cisco pushed out a new version (1.0.3) of the Chrome extension that supposedly plugs the hole, but according to the discussion that followed the revelation of the bug, the fix is partial: The new version of the extension still allows the webex.com domain and its subdomains to invoke the “magic pattern” to remotely start a WebEx meeting.
For those who need WebEx for work is the extension does not end up needed to join Webex meetings – they can simply run a temporary application.