Cisco Rolls Out ‘Dubious’ Fix For WebEx Vulnerability

Cisco has rushed through a patch for a WebEx Chrome extension vulnerability which allowed attackers to remotely execute commands on Windows machines.

Google white hat hacker Tavis Ormandy discovered the flaw in the plugin which currently has around 20 million active users and is part of Cisco’s popular web conferencing software.

Ormandy notified Cisco of the vulnerability over the weekend, with a patch arriving around 48 hours later.

WebEx flaw

“The extension works on any URL that contains the magic pattern “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html”, which can be extracted from the extensions manifest,” Ormandy writes. “Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough.

“The extension uses nativeMessaging, so this magic string is enough for any website to execute arbitrary code (!!).”

Upon investigating the bug, Ormandy found that a user with WebEx installed just had to browse a website that was targeting the plugin and the computer would become infected with malware.

After temporarily blocking new installations of WebEx, Cisco promptly rolled out a new version of the plugin (1.0.3) which involved the “acceptable fix” of “limiting the magic URL to https://*.webex.com/…”

However, despite Ormandy praising Cisco for its quick response, not everyone is satisfied with the patch. One user expressed their “extreme dubiousness about this fix”, with another saying that “the update provided does nothing to improve the situation”.

We contacted Cisco for comment and received the following response: “Cisco puts the security of our customers first. When we have a vulnerability in our products, we issue a Security Advisory to make sure our customers are informed about the issue and how it can be remediated.

“Cisco is in the process of investigating all aspects of the Cisco WebEx Browser Extension Remote Code Execution Vulnerability. On January 24, 2017, Cisco published a security advisory to address this issue. We have already started publishing many of the fixes for affected versions, and will continue to publish additional updates as they become available in the coming days.”

Security was a significant focus for Cisco in 2016, as the company launched a £7.5 million ($10m) cyber security scholarship programme and acquired cloud-based security provider CloudLock for $293 million (£219m).

However, it also confirmed plans to cut around 20 percent of its workforce as part of a restructuring project and suffered an embarrassing data breach after one of its website leaked the personal details of job applicants.

What do you know about Cisco? Take our quiz and find out!