Google Project Zero researcher Tavis Ormandy has discovered a critical remote code execution vulnerability in the Cisco WebEx browser extension. Cisco’s initial fix does not appear to be complete, which has led to Google and Mozilla temporarily removing the add-on from their stores.
While analyzing the WebEx extension for Chrome, which has roughly 20 million active users, Ormandy noticed that it works on any URL that contains a “magic” pattern. This allows an attacker to execute arbitrary code on the targeted WebEx user’s system by getting them to access a specially crafted website.
Cisco has attempted to patch the security hole by limiting the magic URL to https://*.webex.com and https://*.webex.com.cn domains. Ormandy said the fix was acceptable, but pointed out that the vulnerability could still be exploited silently through a potential cross-site scripting (XSS) flaw on webex.com.
Furthermore, even without the XSS, an attacker can still execute arbitrary code as long as the victim clicks “OK” when they are prompted to allow a WebEx meeting to launch on the malicious website.
Mozilla representatives said they were unhappy with Cisco’s fix and pointed out that webex.com does not use HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP).
“If I’m an adversary and I can find a single XSS on that domain, all I need to do at any point in the future is intercept an outgoing HTTP request from Chrome, insert a 302 redirect, and I have an instant RCE on who knows how many machines?” noted April King, information security engineer at Mozilla.
Others said they could still get Ormandy’s proof-of-concept (PoC) exploit to work even on the updated version.
As a result, both Google and Mozilla have decided to remove the WebEx extension from their stores until Cisco releases a proper fix.
“This is exactly the kind of ‘just visit this random website and now you have malware’ scenarios that we haven’t seen in a while (on a large scale), and that we don’t want to go back to,” said Filippo Valsorda, a researcher at CloudFlare.
Valsorda has published a blog post with advice on how to prevent these types of attacks in Chrome using browser profiles.
Related: Serious Flaws Found in Cisco WebEx Meetings Server
Related: Cisco Fixes Severe Flaws in WebEx, Small Business Products
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
