Stories
Slash Boxes
Comments

SoylentNews is people

Widely Used WebEx Plugin for Chrome is Easily Exploitable

posted by Fnord666 on Thursday January 26 2017, @05:41PM   Printer-friendly
from the patch-it-now dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

The Chrome browser extension for Cisco Systems WebEx communications and collaboration service was just updated to fix a vulnerability that leaves all 20 million users susceptible to drive-by attacks that can be carried out by just about any website they visit.

A combination of factors makes the vulnerabilities among the most severe in recent memory. First, WebEx is largely used in enterprise environments, which typically have the most to lose. Second, once a vulnerable user visits a site, it's trivial for anyone with control of it to execute malicious code with little sign anything is amiss. The vulnerability and the resulting patch were disclosed in a blog post published Monday by Tavis Ormandy, a researcher with Google's Project Zero security disclosure service.

Martijn Grooten, a security researcher for Virus Bulletin, told Ars:

If someone with malicious intentions (Tavis, as per Google's policy, disclosed this responsibly) had discovered this, it could have been a goldmine for exploit kits. Not only is 20 million users a large enough number to make it worthwhile in opportunistic attacks, I assume people running WebEx are more likely to be corporate users. Imagine combining this with ransomware!

Source: http://arstechnica.com/security/2017/01/ciscos-webex-chrome-plugin-opens-20-million-users-to-drive-by-attacks/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Widely Used WebEx Plugin for Chrome is Easily Exploitable | Log In/Create an Account | Top | 20 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by DannyB on Thursday January 26 2017, @08:00PM

    by DannyB (5839) Subscriber Badge on Thursday January 26 2017, @08:00PM (#459093) Journal

    I know WebEx used a Java Applet in the past. But does it still?

    I am sure I have had applets disabled for a long time, yet WebEx works.

    I always have Java installed for development. But not available in the browser.

    If WebEx didn't already have alternate mechanisms (Flash, ActiveX, Silverlight) to applets, then how would people use it if they don't have Java installed?

    It seems like I recall having to download and run a tiny webex.exe type file to do the install. It was signed so when running it, Windows would indicate the origin of the exe.

    That might be the best, easiest way to do it. Have a code signed exe, have the user click it in their browser, and then click Open rather than Save. (But I click save, and then launch it.)

    --
    The lower I set my standards the more accomplishments I have.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Thursday January 26 2017, @08:49PM

    by Anonymous Coward on Thursday January 26 2017, @08:49PM (#459126)

    Depends what platform you're on. For Linux it uses a Java applet and it only works in 32bit mode. In 64bit, you can't actually get audio. On Windows, there's a newer client. I think Android has a different one as well. I'm not sure about OSX.

    This is largely a matter of Cisco being too damned lazy and cheap to properly maintain their software.