Advertisement

Cisco's web meeting plugin for Chrome has a whopping flaw

Any site could use WebEx to silently load malware in a "driveby" attack.

If you participate in corporate web meetings, there's a good chance you have Cisco's WebEx Chrome extension. If so, you'll want to check that it's patched to version 1.03, because it has a scary hole that leaves machines open to drive-by attacks. In other words, "any website could just install malware on your machine silently," security expert Filippo Valsorda tweeted.

The problem was discovered by prolific Google researcher Tavis Ormandy, who said on Twitter that "there was a secret URL in WebEx that allowed any website to run arbitrary code." WebEx uses a coded link (cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html) to remotely start meetings on connected machines with the Chrome extension installed.

If a malicious player figured that out, they could place the URL on a web page (hidden in an invisible iframe for instance), where it would trigger the WebEx extension when you visit. From there, the attacker can execute any code they want and take full control of your machine.

The problems is particularly severe because some 20 million people use WebEx, and many of them are at corporations. That could leave sensitive materials, including private customer or employee data, open to theft, ransomware and other types of criminal activity.

Cisco patched the bug just two days after Ormandy privately reported it -- the patched version, as mentioned, is 1.03. I have the Chrome extension myself (to my surprise), but luckily, the updated version was already installed when I got up this morning.

However, Valsorda called the patch "weak," as it just shows a popup that says "WebEx meeting client will be launched if you accept this request." If you select "OK," instead of "Cancel" when you visit a malicious site, malware can still be installed. For that reason, he recommends that you install a custom Chrome profile if you really need to run WebEx. His detailed instructions to do that are here.