Not logged in » Login

Recent Discussion:

NunoCosta | 03.06.2020, 13:24
Quote from mlegrafleitas:Hi everyone,Need your help to compare this 2 Storage from FUJITSU and ...
NunoCosta | 02.06.2020, 17:25
Hi mlegrafleitas.Thank you for your question.We are working on providing you the best answer, I'll g...
mlegrafleitas | 01.06.2020, 17:28
Hi everyone,Need your help to compare this 2 Storage from FUJITSU and DELL because I have a customer...
Jan 24 2017

WebEx for Chrome: Extension Needs Patching

Cisco's WebEx branch is widely known for delivering online collaboration and conferencing tools for the enterprise. Over time, their software became so popular that browser vendors like Google and Mozilla were prompted to introduce plug-ins that enable Chrome and Firefox users to directly join a conference. With success: the Chrome extension alone is said to have 20 million active users – who could potentially fall victim to a simple yet effective security bug.

The issue was reported over the weekend by Tavis Ormandy, noted security researcher for Google's Project Zero team, and involves a so-called magic pattern that will kick the browser extension into gear and allow attackers to execute arbitrary code. All a potential adversary has to do is to add the string cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html to a given URL and lure users onto a prepared website. From here on out, any skilled criminal will find it easy to use the manipulated machine as a point of entry for stealing or manipulating confidential company information. In addition, Ormandy also released a proof-of-concept that will launch the calculator on Windows machines that are open to this type of raid. Both his report and the POC can be found on Google's Monorail bug list.

For cyber-crooks, this vulnerability is particularly attractive because the 'magic string' can easily be extracted from the extension's software manifest. In other words, the vulnerability was officially documented, which in turn may raise doubts about the very nature of the exploit pattern. These doubts are further exacerbated by Ormandy's claim that it "can occur in [any] iframe, so there is not necessarily any user-visible indication of what is happening." 

Meanwhile, Cisco has issued a security patch for the vulnerable plug-in. Chrome users who have the WebEx extension installed are urged to run an update asap – the latest version available from the Chrome Web Store is # 1.0.5.

For more details, please check out the reports at The Register and Ars Technica.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now