A newly discovered flaw in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could enable an attacker to execute malicious code with the privileges of the affected browser on the affected device.
According to Cisco:
“This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.”
This flaw (CVE-2017-6753) has been disclosed by Tavis Ormandy (security researcher from Google Project Zero) and Cris Neckar of Divergent Security. The attacker can exploit this flaw by tricking victims into visiting a web page holding specially crafted malicious code through the browser with affected extension installed.
“The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser.”
Cisco has issued software updates for Google Chrome and Mozilla Firefox that address this flaw. Cisco also said that only Chrome and Firefox extensions on Windows boxes are vulnerable to this flaw.