Cisco has patched a serious remote code execution flaw in its WebEx extensions for both Google Chrome and Mozilla Firefox, a bug that could be exploited quite easily.
The vulnerability affects several different browser extensions produced by WebEx, including the Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings extensions.
“The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser,” Cisco said in its advisory for the bug.
Researcher Tavis Ormandy from Google’s Project Zero and Chris Neckar from Divergent Security discovered the vulnerability and reported it to Cisco. The company said customers should patch as soon as possible, as they’re no practical workaround for this flaw.
“There are no workarounds that address this vulnerability. However, Mac users may use Safari to join WebEx meetings because Safari is not affected by this vulnerability. Windows users may use Internet Explorer and administrators and users of Windows 10 systems may use Microsoft Edge to join and participate in WebEx sessions because Microsoft Internet Explorer and Microsoft Edge are not affected by this vulnerability,” the advisory says.
Ormandy also has produced a working exploit for the vulnerability, making the deployment of the patch even more important.