The Chrome browser extension for Cisco Systems WebEx communications and collaboration service was just updated to fix a vulnerability that leaves all 20 million users susceptible to drive-by attacks that can be carried out by just about any website they visit.
A combination of factors makes the vulnerabilities among the most severe in recent memory. First, WebEx is largely used in enterprise environments, which typically have the most to lose. Second, once a vulnerable user visits a site, it’s trivial for anyone with control of it to execute malicious code with little sign anything is amiss. The vulnerability and the resulting patch were disclosed in a blog post published Monday by Tavis Ormandy, a researcher with Google’s Project Zero security disclosure service.
All that’s required for a malicious or compromised website to exploit the vulnerability is to host a file or other resource that contains the string “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html” in its URL. That’s a “magic” pattern the WebEx service uses to remotely start a meeting on visiting computers that have the Chrome extension installed. Ormandy discovered that any visited website can invoke the command not just to begin a WebEx session, but to execute any code or command of the attacker’s choice. To make the exploit more stealthy, the string can be loaded into an HTML-based iframe tag, preventing the visitor from ever seeing it.