Cisco Rolls Out ‘Dubious’ Fix For WebEx Vulnerability

Cisco has rushed through a patch for a WebEx Chrome extension vulnerability which allowed attackers to remotely execute commands on Windows machines.

Google white hat hacker Tavis Ormandy discovered the flaw in the plugin which currently has around 20 million active users and is part of Cisco’s popular web conferencing software.

Ormandy notified Cisco of the vulnerability over the weekend, with a patch arriving around 48 hours later.

WebEx flaw

“The extension works on any URL that contains the magic pattern “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html”, which can be extracted from the extensions manifest,” Ormandy writes. “Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough.

“The extension uses nativeMessaging, so this magic string is enough for any website to execute arbitrary code (!!).”

Upon investigating the bug, Ormandy found that a user with WebEx installed just had to browse a website that was targeting the plugin and the computer would become infected with malware.

After temporarily blocking new installations of WebEx, Cisco promptly rolled out a new version of the plugin (1.0.3) which involved the “acceptable fix” of “limiting the magic URL to https://*.webex.com/…”

However, despite Ormandy praising Cisco for its quick response, not everyone is satisfied with the patch. One user expressed their “extreme dubiousness about this fix”, with another saying that “the update provided does nothing to improve the situation”.

We contacted Cisco for comment and received the following response: “Cisco puts the security of our customers first. When we have a vulnerability in our products, we issue a Security Advisory to make sure our customers are informed about the issue and how it can be remediated.

“Cisco is in the process of investigating all aspects of the Cisco WebEx Browser Extension Remote Code Execution Vulnerability. On January 24, 2017, Cisco published a security advisory to address this issue. We have already started publishing many of the fixes for affected versions, and will continue to publish additional updates as they become available in the coming days.”

Security was a significant focus for Cisco in 2016, as the company launched a £7.5 million ($10m) cyber security scholarship programme and acquired cloud-based security provider CloudLock for $293 million (£219m).

However, it also confirmed plans to cut around 20 percent of its workforce as part of a restructuring project and suffered an embarrassing data breach after one of its website leaked the personal details of job applicants.

What do you know about Cisco? Take our quiz and find out!

Sam Pudwell

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Recent Posts

AI Researchers In West, China Identify AI ‘Red Lines’

Leading AI researchers in the West and China identify key 'red lines' that AI must…

52 mins ago

Nvidia Introduces Next-Generation ‘Blackwell’ AI Chips

Nvidia introduces next-generation AI accelerator chips at GCT 2024 developer conference amidst surge in demand

1 hour ago

Apple In Talks With Google To Bring Gemini AI To iPhones

Apple reportedly in talks with Google to use Gemini for generative AI tasks on iPhones…

2 hours ago

US Senators Voice Support For TikTok Bill

Some US senators say they support bill that could result in TikTok ban, while US…

2 hours ago

Government Wants Flying Taxis In Operation By 2028

Flying taxis could become reality in UK in next four years under new government action…

3 hours ago

SpaceX ‘Developing Spy Satellites’ For US Agency

SpaceX reportedly developing network of hundreds of low-orbit spy satellites for US intelligence agency under…

3 hours ago