Sergey Nivens - Fotolia
A Google Project Zero researcher discovered a critical vulnerability in the browser extensions for Cisco's WebEx conferencing service, which would have enabled attackers to remotely execute arbitrary code. Cisco quickly released a patch for the flaw, which blocks remote code execution from all sites, except WebEx sites, but some experts disagreed with the fix. What are the possible drawbacks of how this patch works, and is there a better solution?
Around 20 million people use Cisco's WebEx browser extension for online meetings with video conferencing and screen sharing, so the discovery of a remote code execution flaw in the service required an immediate fix. Three days after the vulnerability was reported to Cisco, the company published a security advisory and patch, impressing Google Project Zero researcher Tavis Ormandy, who discovered the vulnerability, with its response time.
The WebEx extension vulnerability, CVE-2017-3823, affects Chrome, Firefox and Internet Explorer browsers running on Windows; Microsoft Edge on Windows and all browsers on Mac and Linux are unaffected. The vulnerability is due to a design flaw in an application programing interface response parser within the plug-in.
WebEx uses a special URL string -- cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html -- to automatically activate the WebEx extension on a PC that has it installed. As part of the activation process, the URL can be used to instruct the WebEx extension to run any code or arbitrary command, which it does without requesting permission from the user. The code executes with the privileges of the affected browser, making it a classic remote code execution vulnerability with a critical rating.
A user doesn't have to willingly join a WebEx meeting to be a victim; an attacker could trick them into visiting a webpage that contains the special URL, and the WebEx session can then start automatically. The attacker's code would execute and enable malware to be installed. If the string was placed in an HTML-based iFrame tab, it would be difficult for a user to detect.
Cisco's initial fix prevented the special string from executing remote code from any sites other than its own WebEx sites. This means that if a resource is not hosted at *.webex.com or *.webex.com.cn, then the user must click OK before any code can execute. The problem is that users do tend to click OK without understanding the implications, and users are still left vulnerable if an attacker finds and leverages a cross-site scripting vulnerability in Cisco's WebEx websites to pass a malicious URL string.
The authors of the Blaze exploit kit claim to be capable of exploiting a total of 16 vulnerabilities, including the WebEx extension vulnerability. Cisco's security advisory proposed various options for mitigating the possibility of attack.
Windows users can participate in WebEx sessions using Microsoft Edge, as it isn't affected by this vulnerability. The WebEx extension or add-on should be disabled in the browser to prevent it from activating unexpectedly. Users who don't have a WebEx account should uninstall the extension and reinstall the latest version the next time they need to attend a meeting.
Enterprises deploying web proxies or web gateways can create a URL filtering policy to block URL requests containing the special URL string pattern. Administrators who want to remove all WebEx software from their organization's Windows systems can use the Meeting Services Removal Tool.
Learn how to mitigate risks faced by vulnerable software
Find out how malware repeatedly abused Ammyy Admin remote administration software
Discover how the same-origin security feature in Adobe Flash Player failed
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading