Windows users who have the widely used Cisco WebEx extension installed on Chrome are in danger of getting silently hacked when visiting a malicious website.
The vulnerability, which can be exploited by attackers to effect malicious remote code execution (e.g. installing malware) on a target’s computer, was discovered by Google bug hunter Tavis Ormandy and responsibly disclosed to Cisco.
“The extension works on any URL that contains the magic pattern ‘cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html’, which can be extracted from the extensions manifest,” Ormandy explained his finding.
“Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough.”
He also published a demo for testing for the presence of the flaw.
Cisco has pushed out a new version (1.0.3) of the Chrome extension that supposedly plugs the hole, but according to the discussion that followed the revelation of the bug, the fix is partial: the new version of the extension still allows the webex.com domain and its subdomains to invoke the “magic pattern” to remotely start a WebEx meeting.
“If I’m an adversary and I can find a single XSS on that domain, all I need to do at any point in the future is intercept an outgoing HTTP request from Chrome, insert a 302 redirect, and I have an instant RCE on who knows how many machines? At least 10M, according to the extension page,” noted April King, head of website security at Mozilla. And XSS are depressingly common.
Others have pointed out that even with the fixed extension, a malicious site will show a prompt that will mean nothing to many users, and they will likely allow the running of the exploit by clicking the OK button.
As a researcher pointed out:
So, for the time being, the best thing for users is to uninstall the extension altogether. King noted that the WebEx extension has been blocked in Firefox, pending a fix, and it’s still unknown if the bug is present on the extension for Safari and IE/Edge.
The good news for those who need WebEx for work is that the extension is not needed to join Webex meetings – they can simply run a temporary application.
UPDATE (January 25, 2017): Cisco has released version 1.0.5 of the WebEx Extension for Google Chrome on Tuesday. But Ormandy found “some remaining remote code execution problems” still in it, and sent the report and exploit to Cisco, so it’s possible another update will be pushed out soon.