A single text is all it took to unleash code-execution worm in Cisco Jabber:
Until Wednesday, a single text message sent through Cisco's Jabber collaboration application was all it took to touch off a self-replicating attack that would spread malware from one Windows user to another, researchers who developed the exploit said.
The wormable attack was the result of several flaws, which Cisco patched on Wednesday, in the Chromium Embedded Framework that forms the foundation of the Jabber client. A filter that's designed to block potentially malicious content in incoming messages failed to scrutinize code that invoked a programming interface known as "onanimationstart."
[...] CVE-2020-3430 carries a severity score of 8.8.
Two other vulnerabilities—CVE-2020-3537 and CVE-2020-3498—have severity ratings of 5.7 and 6.5, respectively.
The vulnerabilities affect Cisco Jabber for Windows versions 12.1 through 12.9.1[*]. People using vulnerable versions should update as soon as possible.
[20200907_115013 UTC: Added (martyb)]
Link to download Cisco Jabber... BUT, I just downloaded a copy of the MSI using that link and found I had "Version: 12.9.0.53429, Build: 303429". Further, the Cisco advisory states that version 12.9.1 is the First Fixed Release. Something does not look right here.
Here are links to advisory entries on: (1) MITRE's Common Vulnerabilities and Exposures (CVE®) List (2) NIST (National Institute of Standards and Technology), and (3) Cisco:
| CVE-2020-3430: | MITRE | NIST | Cisco |
| CVE-2020-3537: | MITRE | NIST | Cisco |
| CVE-2020-3498: | MITRE | NIST | Cisco |
(Score: 1) by fustakrakich on Monday September 07 2020, @06:59PM (2 children)
Pretty amazing that a simple text can accomplish so much... oh well, maybe, someday... hopefully before the thing learns how to launch missiles..
La politica e i criminali sono la stessa cosa..
(Score: 2, Insightful) by Anonymous Coward on Monday September 07 2020, @07:27PM (1 child)
Found the problem! There seems to be an entire operating system dedicated to the propagation of malware installed on your machine!
(Score: 0) by Anonymous Coward on Tuesday September 08 2020, @04:45AM
Yep, another Windoze vuln, in the wild, by a major vendor?
Just the Windose version, eh? I have never heard of that happening before!
(Score: 3, Touché) by SomeGuy on Monday September 07 2020, @07:35PM (1 child)
New hacking slogan: So easy, even a teenage girl can do it!
(Score: 0) by Anonymous Coward on Tuesday September 08 2020, @05:42PM
So easy, even a teenage girl with a van full of explosives can do it!
There, FTFY.
(Score: 2) by Mojibake Tengu on Tuesday September 08 2020, @01:44AM
Now, keep telling me nonsenses about 90 days delay for responsible disclosure.
Rust programming language offends both my Intelligence and my Spirit.
(Score: 2) by arslan on Tuesday September 08 2020, @08:29AM
My understanding in a nutshell after a quick pass.
Cisco used an embedded Chromium browser that had a vul. though it can't escape the browser sandbox, but Cisco extended the Javascript engine with extra APIs so it can further interact with the environment outside of the sandbox and through this channel they managed to escape the sandbox.
Using yet another vulnerability in the Cisco protocol handlers, they were able to do command injection to then "propagate" this throughout the network hence the "worm" part.
All in all, pretty bad cyber hygiene practice. The second bit with the command injection you'd think that's a very basic principle...