Cisco Patches Serious Vulnerability in Extension That Enables Code Execution

Cisco has released a patch for its WebEx extension for the Chrome browser. This fixes a vulnerability that allowed arbitrary code execution. The vulnerability was discovered by a Google researcher from the Project Zero security team.

The researcher, Tavis Ormandy, writes that the extension is popular with about twenty million users. The vulnerability is also quite easy to use, because an attacker only needs to use a ‘magic pattern’ to start a WebEx session or run arbitrary code. According to Ormandy, this pattern may be contained in an iframe, leaving the victim unaware that something is happening.

Cisco has since released a patch in version 1.0.3 of the extension. Ormandy notes that the company has responded quickly, as he reported the leak over the weekend. In one of his comments on the patch, Ormandy writes that he “assumes the vulnerability has been fixed.” Other participants in the conversation are skeptical, saying that Cisco has limited the use of the “magic URL” only to the webex.com domain. While that makes it more difficult to use the vulnerability, it is still possible to exploit it through cross-site scripting, as Ormandy itself points out.

In addition, the extension outside that domain only shows a warning, which allows code execution after clicking away. The WebEx extension makes it possible to collaborate, for example by starting a video call. The plugin is aimed at business users. Filippo Valsorda, a security researcher at Cloudflare, has dedicated a blog post to the vulnerability, giving users security tips.

Ormandy is more likely to discover leaks in software from other companies, especially Chrome extensions. His most recent discovery was a leak in an automatically installed Adobe extension.

Screenshot of how Ormandy’s leak works