Cisco has shared additional information on the recently disclosed vulnerability affecting WebEx, and informed customers that patches have also been made available for the Internet Explorer and Firefox plugins.
The vulnerability, identified as CVE-2017-3823, allows an unauthenticated attacker to remotely execute arbitrary code with the privileges of the web browser by getting the targeted user to access a specially crafted web page.
The flaw was discovered by Google Project Zero researcher Tavis Ormandy in the WebEx extension for Chrome and disclosed after it was apparently patched by Cisco. Further investigation by Ormandy and Cisco revealed that the initial fix was incomplete and that the security hole also affected the plugins for Firefox and Internet Explorer.
Cisco has determined that the vulnerability also impacts WebEx Meetings Server and WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center) on Windows.
According to the networking giant, the flaw has been patched in Chrome with the release of version 1.0.7 of the WebEx extension, and in Firefox with the release of version 106 of the ActiveTouch General Plugin Container.
In Internet Explorer, version 10031.6.2017.0126 and version 18.104.22.168 of the GpcContainer Class ActiveX and Download Manager ActiveX control plugins, respectively, address the issue.
The patches for Internet Explorer and Firefox were released on January 28. Both Google and Mozilla have restored the WebEx extension after temporarily removing it from their web stores.
Cisco pointed out that the security hole does not affect Microsoft’s Edge browser or other operating systems.
Users have been advised to ensure that they have the latest version installed, although browsers typically check for updates at regular intervals and install them automatically. Some customers of WebEx Meetings Server and WebEx Meeting Centers may need to request the patches from their service providers or download them from Cisco’s website.
While the details of the vulnerability have been publicly available for more than a week, Cisco says it has not found any evidence of exploits in the wild.