Corporations at risk of malware attack via Cisco’s WebEx Chrome extension

Graham Cluley

January 25, 2017

Corporations at risk of malware attack via Cisco’s WebEx Chrome extension

A warning has been issued that companies who have installed the popular Cisco WebEx extension on Chrome could have opened themselves up to malicious attacks.

The extension, which has approximately 20 million active users, is part of Cisco’s web conferencing software – and is widely used in businesses around the world.

The critical remote code execution vulnerability in the Cisco WebEx extension can be exploited by malicious hackers by tricking users into accessing a specially-crafted website – although because this can be done through an invisible iFrame, there won’t necessarily be any visual indication to the user that anything suspicious has occurred.

The flaw was uncovered by Google researcher Tavis Ormandy, who responsibly disclosed details to Cisco and published proof-of-concept code demonstrating how simply visiting a webpage while the extension was installed could trigger malicious code into running on a user’s Windows PC.

cisco-exploit.jpeg

Cisco rapidly responded to Ormandy, proposing an update which would display a confirmation dialog if the extension attempted to execute code from a site that did not match *.webex.com or *.webex.com.cn.

That solution, however, did not sit well with April King, a security engineer at Mozilla:

In my opinion this is an extremely dangerous hole to leave open.  We're wrapping browsers in 50 layers of sandboxing, but we're willing to let an entire sprawling domain execute arbitrary system commands?

 a) allowing all of *.webex.com to execute commands is way too much surface area

b) allowing other domains to execute commands by merely clicking OK is a security nightmare; we've spent literal decades failing to get users to not do this, and

c) this entire design of passing arbitrary commands from an extension to local code is architecturally a poor choice; why does it need to pass anything other than a URL or a meeting code?

The revelation that the Cisco WebEx extension contains security flaws has led to Google and Mozilla temporarily removing the add-on from their respective plugin stores until a proper fix is put in place.

In the meantime, companies might be wise to uninstall the WebEx extension from their browser.

tags


Author


Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like

Bookmarks


loader