Cisco released a fix for a critical remote code execution bug in its WebEx video conferencing extension for Chrome and Firefox browsers on Windows.
WebEx browser extensions
A vulnerability in Cisco WebEx browser extensions in Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system, Cisco said. The bug, CVE-2017-6753, as critical and gave it a Common Vulnerability Scoring System (CVSS) score of 9.6 out of a possible 10.
According to Cisco, the vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link to an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser.
Cisco released an updated version of the Chrome Store and Mozilla’s add-ons store on July 13, and July 12, respectively. Versions of the WebEx extension for Chrome and Firefox prior to 1.0.12 are affected.
The bug affects extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers, and Cisco WebEx Meetings. It only affects these products on Windows machines. Cisco added that it does not affect WebEx on Microsoft Edge or Internet Explorer. It doesn’t affect the WebEx extensions for Safari on Mac and browsers on Linux.
Google Project Zero researcher Tavis Ormandy and Divergent Security’s Cris Neckar privately disclosed a vulnerability that could be abused to remotely run code on a computer running the browser extension.
WebEx is a popular video conferencing tool in the enterprise. Ormandy notes that the WebEx extension for Chrome alone has 20 million active users. Tens of millions of computers have the extension installed.