Latest in Culture

Image credit:

Cisco's web meeting plugin for Chrome has a whopping flaw

Any site could use WebEx to silently load malware in a "driveby" attack.
829 Shares
Share
Tweet
Share
Save

Sponsored Links

If you participate in corporate web meetings, there's a good chance you have Cisco's WebEx Chrome extension. If so, you'll want to check that it's patched to version 1.03, because it has a scary hole that leaves machines open to drive-by attacks. In other words, "any website could just install malware on your machine silently," security expert Filippo Valsorda tweeted.

The problem was discovered by prolific Google researcher Tavis Ormandy, who said on Twitter that "there was a secret URL in WebEx that allowed any website to run arbitrary code." WebEx uses a coded link (cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html) to remotely start meetings on connected machines with the Chrome extension installed.

If a malicious player figured that out, they could place the URL on a web page (hidden in an invisible iframe for instance), where it would trigger the WebEx extension when you visit. From there, the attacker can execute any code they want and take full control of your machine.

The problems is particularly severe because some 20 million people use WebEx, and many of them are at corporations. That could leave sensitive materials, including private customer or employee data, open to theft, ransomware and other types of criminal activity.

Cisco patched the bug just two days after Ormandy privately reported it -- the patched version, as mentioned, is 1.03. I have the Chrome extension myself (to my surprise), but luckily, the updated version was already installed when I got up this morning.

However, Valsorda called the patch "weak," as it just shows a popup that says "WebEx meeting client will be launched if you accept this request." If you select "OK," instead of "Cancel" when you visit a malicious site, malware can still be installed. For that reason, he recommends that you install a custom Chrome profile if you really need to run WebEx. His detailed instructions to do that are here.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
829 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's 2019 Back-to-School Guide

Engadget's 2019 Back-to-School Guide

View
Chicago will test Samsung's DeX in-vehicle solution in cop cars

Chicago will test Samsung's DeX in-vehicle solution in cop cars

View
Apple warns against storing its titanium credit card in leather

Apple warns against storing its titanium credit card in leather

View
Microsoft tests more control for apps that restart with Windows 10

Microsoft tests more control for apps that restart with Windows 10

View
Terminator T-800 and The Joker are coming to 'Mortal Kombat 11'

Terminator T-800 and The Joker are coming to 'Mortal Kombat 11'

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr