CERT warns of Cisco WebEx vulnerability

Cisco has updated its conferencing tool because of the newly discovered bug.

Shutterstock image: open lock.

Cisco has patched its WebEx conferencing plug-ins for Chrome and Firefox because a newly discovered flaw could allow outsiders to take control of a system.

In a July 17 advisory on its website, the company called the vulnerability “critical,” and its “common vulnerability scoring” system gave the bug a 9.6 out of a possible 10 threat score.

The U.S. Computer Emergency Readiness Team also issued a notice concerning Cisco’s security update on July 17, as Cisco issued its advisory.

The bug was originally detected by Project Zero researcher Tavis Ormandy and Divergent Security’s Cris Neckar on July 6. The patch was publicly released on July 17.

“A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system,” Cisco’s notification said. “This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.”

The company said its WebEx browser extensions for Mac or Linux, its WebEx on Microsoft Edge or Internet Explorer, and its WebEx Productivity Tools are not vulnerable.

CERT’s advisory, along with its notification of the available patches, also said the flaw in the Chrome and Firefox browser extensions could be used by a remote user to take control of a system.

Cisco sells Federal Risk and Authorization Management Program-approved web conferencing and hosted collaboration solutions to the federal government.

A company spokeswoman told FCW in an email she couldn’t provide an immediate comment on whether the vulnerability affected those products.  She said, however, that all Chrome and Firefox browser extensions running on Windows are affected, and customers should update immediately.

For most users, the spokeswoman said, the patched versions will automatically install during their next WebEx session, and added that fixed versions are available for systems that need manual updates by an administrator.

For users whose systems don’t allow automatic updates and have not yet been patched by administrators, the security advisory outlines alternate browser options and other security measures for immediate consideration.