Cisco plugs command-injection hole in WebEx Chrome, Firefox plugins • The Register

Cisco has patched its Chrome and Firefox WebEx plugins to kill a bug that allows evil webpages to execute commands on computers.

A malicious page, when visited by a vulnerable Windows machine, can exploit the security flaw (CVE-2017-6753) to run arbitrary commands and code with the same privileges as the browser. In other words, the page can abuse the installed plugins to hijack the PC.

The hole is present in the Chrome and Firefox plugins for Cisco WebEx Meetings Server and Cisco WebEx Centers, and affects products including WebEx Meeting Center, Event Center, Training Center and Support Center. Internet Explorer and Edge are not considered vulnerable, and both OS X and Linux versions of Chrome and Firefox are also safe.

The bug was discovered by Google Project Zero researcher Tavis Ormandy and Divergent Security’s Cris Neckar.

“A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system,” Cisco said on Monday.

“This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.

“The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser.”

Those running Chrome and Firefox plugins for WebEx should already have the patches running on their machines. Cisco kicked out the automatic update for Chrome on…

Read the full article from the Source…

Leave a Reply