Cisco plugs command-injection hole in WebEx Chrome, Firefox plugins
Make sure you've updated if you're using Windows
Cisco has patched its Chrome and Firefox WebEx plugins to kill a bug that allows evil webpages to execute commands on computers.
A malicious page, when visited by a vulnerable Windows machine, can exploit the security flaw (CVE-2017-6753) to run arbitrary commands and code with the same privileges as the browser. In other words, the page can abuse the installed plugins to hijack the PC.
The hole is present in the Chrome and Firefox plugins for Cisco WebEx Meetings Server and Cisco WebEx Centers, and affects products including WebEx Meeting Center, Event Center, Training Center and Support Center. Internet Explorer and Edge are not considered vulnerable, and both OS X and Linux versions of Chrome and Firefox are also safe.
The bug was discovered by Google Project Zero researcher Tavis Ormandy and Divergent Security's Cris Neckar.
"A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system," Cisco said on Monday.
"This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.
"The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser."
Those running Chrome and Firefox plugins for WebEx should already have the patches running on their machines. Cisco kicked out the automatic update for Chrome on July 12 and Firefox on July 13. Users can see if their versions are the fixed release (1.0.12) by going to the extensions menu in the browser and, if an older version is run, selecting the "update extensions now" (Chrome) or "check for updates" (Firefox) option.
Cisco says that while only the Chrome and Firefox plugins on Windows boxes are vulnerable to the flaw described, shared code between those browsers and the Internet Explorer/Edge plugins means that an update for Microsoft browsers has been released as well. ®