A warning has been issued that companies who have installed the popular Cisco WebEx extension on Chrome could have opened themselves up to malicious attacks.
The extension, which has approximately 20 million active users, is part of Cisco’s web conferencing software – and is widely used in businesses around the world.
The critical remote code execution vulnerability in the Cisco WebEx extension can be exploited by malicious hackers by tricking users into accessing a specially-crafted website – although because this can be done through an invisible iFrame, there won’t necessarily be any visual indication to the user that anything suspicious has occurred.
The flaw was uncovered by Google researcher Tavis Ormandy, who responsibly disclosed details to Cisco and published proof-of-concept code demonstrating how simply visiting a webpage while the extension was installed could trigger malicious code into running on a user’s Windows PC.
Cisco rapidly responded to Ormandy, proposing an update which would display a confirmation dialog if the extension attempted to execute code from a site that did not match *.webex.com or *.webex.com.cn.
That solution, however, did not sit well with April King, a security engineer at Mozilla:
In my opinion this is an extremely dangerous hole to leave open. We're wrapping browsers in 50 layers of sandboxing, but we're willing to let an entire sprawling domain execute arbitrary system commands?
a) allowing all of *.webex.com to execute commands is way too much surface area
b) allowing other domains to execute commands by merely clicking OK is a security nightmare; we've spent literal decades failing to get users to not do this, and
c) this entire design of passing arbitrary commands from an extension to local code is architecturally a poor choice; why does it need to pass anything other than a URL or a meeting code?
The revelation that the Cisco WebEx extension contains security flaws has led to Google and Mozilla temporarily removing the add-on from their respective plugin stores until a proper fix is put in place.
In the meantime, companies might be wise to uninstall the WebEx extension from their browser.