Stories
Slash Boxes
Comments

SoylentNews is people

Widely Used WebEx Plugin for Chrome is Easily Exploitable

posted by Fnord666 on Thursday January 26 2017, @05:41PM   Printer-friendly
from the patch-it-now dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

The Chrome browser extension for Cisco Systems WebEx communications and collaboration service was just updated to fix a vulnerability that leaves all 20 million users susceptible to drive-by attacks that can be carried out by just about any website they visit.

A combination of factors makes the vulnerabilities among the most severe in recent memory. First, WebEx is largely used in enterprise environments, which typically have the most to lose. Second, once a vulnerable user visits a site, it's trivial for anyone with control of it to execute malicious code with little sign anything is amiss. The vulnerability and the resulting patch were disclosed in a blog post published Monday by Tavis Ormandy, a researcher with Google's Project Zero security disclosure service.

Martijn Grooten, a security researcher for Virus Bulletin, told Ars:

If someone with malicious intentions (Tavis, as per Google's policy, disclosed this responsibly) had discovered this, it could have been a goldmine for exploit kits. Not only is 20 million users a large enough number to make it worthwhile in opportunistic attacks, I assume people running WebEx are more likely to be corporate users. Imagine combining this with ransomware!

Source: http://arstechnica.com/security/2017/01/ciscos-webex-chrome-plugin-opens-20-million-users-to-drive-by-attacks/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Widely Used WebEx Plugin for Chrome is Easily Exploitable | Log In/Create an Account | Top | 20 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by EvilSS on Friday January 27 2017, @02:56PM

    by EvilSS (1456) Subscriber Badge on Friday January 27 2017, @02:56PM (#459480)
    The plugin was fixed a while ago in 1.0.3 (it's at 1.0.5 now). More than likely you are running the fixed version already.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by dyingtolive on Friday January 27 2017, @03:42PM

    by dyingtolive (952) on Friday January 27 2017, @03:42PM (#459499)

    I mean, I read the article, I saw that it was 'fixed'. I'm spooked because I don't know what else could be wrong with it, and people who let magic strings give you the key to the castle are not people who engender a good, healthy sense of trust.

    I honestly never even gave it a thought that it could have been that insecure. I forgot I had it installed until the article even. The curse of too many 6 am meetings. I'll just dig my work laptop out and let it be their issue instead.

    --
    Don't blame me, I voted for moose wang!

    • (Score: 2) by EvilSS on Friday January 27 2017, @03:59PM

      by EvilSS (1456) Subscriber Badge on Friday January 27 2017, @03:59PM (#459517)
      Yea the problem with these is it's not like it's something you would go out and install if you didn't need it for work. Most people with IT jobs are tied to having WebEx and/or GoToMeeting plugins because you know you are going to use it and as soon as you remove it you will need it again before too long. At least with GTM you have the option of using the PC app to join a meeting directly so you can bypass the plugin. If WebEx supports that I haven't managed to find it yet.