Sergey Nivens - Fotolia

Cisco WebEx extension flaw: How does the patch fall short?

Cisco's WebEx extension flaw was patched to prevent remote code execution from all but WebEx sites. Expert Michael Cobb explains how this flaw could still introduce risk to users.

A Google Project Zero researcher discovered a critical vulnerability in the browser extensions for Cisco's WebEx conferencing service, which would have enabled attackers to remotely execute arbitrary code. Cisco quickly released a patch for the flaw, which blocks remote code execution from all sites, except WebEx sites, but some experts disagreed with the fix. What are the possible drawbacks of how this patch works, and is there a better solution?

Around 20 million people use Cisco's WebEx browser extension for online meetings with video conferencing and screen sharing, so the discovery of a remote code execution flaw in the service required an immediate fix. Three days after the vulnerability was reported to Cisco, the company published a security advisory and patch, impressing Google Project Zero researcher Tavis Ormandy, who discovered the vulnerability, with its response time.

The WebEx extension vulnerability, CVE-2017-3823, affects Chrome, Firefox and Internet Explorer browsers running on Windows; Microsoft Edge on Windows and all browsers on Mac and Linux are unaffected. The vulnerability is due to a design flaw in an application programing interface response parser within the plug-in.

WebEx uses a special URL string -- cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html -- to automatically activate the WebEx extension on a PC that has it installed. As part of the activation process, the URL can be used to instruct the WebEx extension to run any code or arbitrary command, which it does without requesting permission from the user. The code executes with the privileges of the affected browser, making it a classic remote code execution vulnerability with a critical rating.

A user doesn't have to willingly join a WebEx meeting to be a victim; an attacker could trick them into visiting a webpage that contains the special URL, and the WebEx session can then start automatically. The attacker's code would execute and enable malware to be installed. If the string was placed in an HTML-based iFrame tab, it would be difficult for a user to detect.

Cisco's initial fix prevented the special string from executing remote code from any sites other than its own WebEx sites. This means that if a resource is not hosted at * or *, then the user must click OK before any code can execute. The problem is that users do tend to click OK without understanding the implications, and users are still left vulnerable if an attacker finds and leverages a cross-site scripting vulnerability in Cisco's WebEx websites to pass a malicious URL string.

The authors of the Blaze exploit kit claim to be capable of exploiting a total of 16 vulnerabilities, including the WebEx extension vulnerability. Cisco's security advisory proposed various options for mitigating the possibility of attack.

Windows users can participate in WebEx sessions using Microsoft Edge, as it isn't affected by this vulnerability. The WebEx extension or add-on should be disabled in the browser to prevent it from activating unexpectedly. Users who don't have a WebEx account should uninstall the extension and reinstall the latest version the next time they need to attend a meeting.

Enterprises deploying web proxies or web gateways can create a URL filtering policy to block URL requests containing the special URL string pattern. Administrators who want to remove all WebEx software from their organization's Windows systems can use the Meeting Services Removal Tool.

Next Steps

Learn how to mitigate risks faced by vulnerable software

Find out how malware repeatedly abused Ammyy Admin remote administration software

Discover how the same-origin security feature in Adobe Flash Player failed 

This was last published in June 2017

Dig Deeper on Application and platform security