The latest on the critical RCE Cisco WebEx extension vulnerability
Since Google bug hunter Tavis Ormandy revealed the existence of a remotely exploitable code execution flaw in the Cisco WebEx extension for Google Chrome last week, Cisco has pushed out several updates for it in quick succession.
We’re now up to version 1.0.7 (the initial update to fix the flaw was 1.0.3), and ostensibly the vulnerability has now been fixed.
The latest update of the security advisory detailing the issue says that the WebEx extensions for Firefox and Internet Explorer on Windows systems were also found to be sporting the same flaw, and have now also been updated.
Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge are not affected, the company claims.
The company has offered users the option to switch to Microsoft Edge to join and participate in WebEx sessions, and has pointed both users and administrators towards a Meeting Services Removal Tool that can help them remove all WebEx software from a Windows system, just in case.
Malicious web requests aimed at exploiting the flaw can also be blocked by those using web proxies or web gateways by creating a specific URL filtering policy. The policy would not allow URL requests containing the flaw triggering string pattern through.
But is this the end of this problem, has the issue been thoroughly and finally fixed? Can you use WebEx on you Windows safely again? Unfortunately, we can’t know for sure – a new security update might just be around the corner.
The only good news is that Cisco’s Product Security Incident Response Team is currently not aware of any malicious use of the vulnerability.
Still, if you want to mitigate the risk, you can uninstall the WebEx extension for the time being, and switch to running a temporary application when you need it. Alternatively, as researcher Filippo Valsorda advises and instructs, you could opt for creating a dedicated WebEx profile.