“A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system.” reads the security advisory published by CISCO. “This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.”
Cisco WebEx is one of the most popular communication tools used by businesses and internet users for online meetings, webinars, and video conferences. The extension has roughly 20 million active users.
The impact of the flaw is severe if we consider that the extension has roughly more than 20 million installs.
The vulnerability was discovered by the popular Google Project Zero hacked Tavis Ormandy and Cris Neckar of Divergent Security. The CVE-2017-6753 RCE vulnerability is due to a designing bug in the WebEx browser extension, it could allow attackers to gain control of the affected system.
“Earlier this week a former colleague from Chrome Security, Cris Neckar from Divergent Security, pointed out that there had been some changes to the way atgpcext worked, and it looked like there may be some new problems. I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them,” Ormandy said. “This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well.”
Cisco acknowledged the RCE flaw and has already patched it in the “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers.