Submitted via IRC for TheMightyBuzzard
The Chrome browser extension for Cisco Systems WebEx communications and collaboration service was just updated to fix a vulnerability that leaves all 20 million users susceptible to drive-by attacks that can be carried out by just about any website they visit.
A combination of factors makes the vulnerabilities among the most severe in recent memory. First, WebEx is largely used in enterprise environments, which typically have the most to lose. Second, once a vulnerable user visits a site, it's trivial for anyone with control of it to execute malicious code with little sign anything is amiss. The vulnerability and the resulting patch were disclosed in a blog post published Monday by Tavis Ormandy, a researcher with Google's Project Zero security disclosure service.
Martijn Grooten, a security researcher for Virus Bulletin, told Ars:
If someone with malicious intentions (Tavis, as per Google's policy, disclosed this responsibly) had discovered this, it could have been a goldmine for exploit kits. Not only is 20 million users a large enough number to make it worthwhile in opportunistic attacks, I assume people running WebEx are more likely to be corporate users. Imagine combining this with ransomware!
(Score: 0) by Anonymous Coward on Thursday January 26 2017, @08:49PM
Depends what platform you're on. For Linux it uses a Java applet and it only works in 32bit mode. In 64bit, you can't actually get audio. On Windows, there's a newer client. I think Android has a different one as well. I'm not sure about OSX.
This is largely a matter of Cisco being too damned lazy and cheap to properly maintain their software.