Cisco has released a fix for a critical remote code execution bug in its WebEx video conferencing extension for two browsers running on Windows.
The bug, which affects the WebEx extensions for Chrome and Firefox, can be exploited by leading a user to a page controlled by the attackers.
“A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system,” Cisco said in an advisory on Monday.
Cisco rated the bug, CVE-2017-6753, as “critical” and gave it a Common Vulnerability Scoring System (CVSS) score of 9.6 out of a possible 10.
“The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser,” it said.
Cisco released updated versions of the extension on the Chrome Store and Mozilla’s add-ons store on July 13, and July 12, respectively. WebEx extension versions before 1.0.12 for both browsers are vulnerable.
The bug affects extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings. It only affects these products on Windows machines.
Cisco added that it does not affect WebEx on Microsoft Edge or Internet Explorer. It also doesn’t affect the WebEx extensions for Safari on Mac and browsers on Linux.
Google’s Project Zero researcher Tavis Ormandy reported the bug to Cisco earlier this month. It was discovered by him and Chris Neckar of Divergent Security, a former member of the Chrome security team. Ormandy earlier this year found two other flaws in the WebEx extension that allowed remote code execution.
WebEx is a popular video conferencing tool in the enterprise. Ormandy notes that the WebEx extension for Chrome alone has 20 million active users. It’s also installed on 731,000 Firefox instances.