A Vulnerability in Cisco WebEx Browser Extensions Could Allow for Arbitrary Code Execution
MS-ISAC ADVISORY NUMBER:2017-064
A vulnerability has been discovered in the Cisco WebEx browser extension for Windows versions of Chrome, Firefox, and Internet Explorer, which could allow for arbitrary code execution. It has been confirmed by Cisco that this vulnerability does not affect Cisco WebEx browser extensions for Mac or Linux, or Cisco WebEx browser extensions for Microsoft Edge or Internet Explorer. The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. Successful exploitation of this vulnerability could result in the attacker gaining control of the affected system.
While a proof of concept is available, there are no reports of this vulnerability being actively exploited in the wild.
- Cisco WebEx Extension for Chrome prior to 1.0.12 for Windows
- Cisco WebEx Extension for Firefox prior to 1.0.12 for Windows
- Large and medium government entities: HIGH
- Small government entities: HIGH
- Large and medium business entities: HIGH
- Small business entities: HIGH
A vulnerability has been discovered in the Cisco WebEx browser extensions, which could allow for arbitrary code execution. The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser. Successful exploitation of this vulnerability could result in the attacker gaining control of the affected system.
Currently, the Cisco WebEx Extension for Google Chrome version 1.0.12 contains a fix for this vulnerability. In order for Chrome users to ensure they are using the fixed version of the Cisco WebEx Extension for Google Chrome the following steps will need to be taken:
- In Chrome, select ‘Customize and control Google Chrome’ icon at the top right of the browser window.
- Navigate to ‘More tools’.
- Select ‘Extensions’.
- Enable ‘Developer mode’.
- Select ‘Update extensions now’.
Mozilla Firefox users can take the following steps to ensure the Cisco WebEx Add-on is configured to receive automatic updates:
- In Firefox, open the settings menu by clicking on the ‘Open Menu’ icon.
- Click ‘Add-ons’
- Click ‘Extensions’
- Click on ‘More’ under ‘Cisco WebEx Extension’
- Enable Automatic Updates
We recommend the following actions be taken:
- Install the update provided by Cisco immediately after appropriate testing.
- Users of Microsoft Windows systems can alternatively use Microsoft Edge to join and participate in WebEx session.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit websites or follow links provided by unknown or untrusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.