ISS discovers WebEx vulnerability
Internet Security Systems, Inc. announced that its X-Force research and development team discovered a serious vulnerability in the ActiveX control used by the popular Web conferencing software, WebEx. ISS has worked closely with the company to resolve the vulnerability and according to WebEx, there have been no reported cases of users adversely affected by the now resolved vulnerability.
ISS X-Force has discovered a remotely exploitable vulnerability in the WebEx ActiveX control used to install the WebEx client on a user’s machine when attending or hosting a meeting. WebEx uses ActiveX to download the software components needed for a meeting. With this vulnerability, the ActiveX control did not check the validity of the content or source of these additional components, which made it susceptible to attackers who have crafted a custom Web page to cause the WebEx ActiveX control to download and place malicious code on a user’s machine.
WebEx has already updated customer sites and users’ ActiveX controls are automatically upgraded when they access the service. WebEx has also made a website available for individuals interested in manually updating their installer,
The ISS X-Force advisory on this vulnerability can be found at: .