Cisco rushing to develop patch for insecure WebEx Chrome extension

20 million users at risk of remote-code execution security flaw

Cisco WebEx users have been warned that a Google Chrome browser extension can enable remote-code execution attacks on Windows PCs with the the plugin installed.

The company is rushing to develop a patch for the flaw, uncovered by Google Project Zero bug hunter Travis Ormandy. Ormandy sounded the alarm over the weekend and alerted Cisco to the flaw.

All attackers need to know to potentially attack the extension's 20 million-strong userbase is a "magic URL" hidden within WebEx, Ormandy said, specifically any URL that contains the pattern "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html."

He noted that as the magic pattern can be embedded in a non-visible, "the user need not be aware the extension was engaged."

"The extension uses nativeMessaging, so this magic string is enough for any website to execute arbitrary code (!!)," Ormandy said.

Ormandy was able to code a proof of concept exploit that made the Cisco's WebEx Chrome extension pop up the Windows calc.exe application, showing that all a victim has to do browse a website that targets Cisco's plugin to come under attack

On Monday, Ormandy confirmed that Cisco had been quick to rush out a fix.

"It looks like a new version is being rolled out right now (version 1.0.3) that contains that change, he said. "That was a really impressive response time from Cisco over the weekend.

"This means that if a site is not *.webex.com or *.webex.com.cn, then the user must click OK for code execution to happen. I think we will consider this issue fixed now. Hopefully, webex.com is well maintained and not full of XSS."

While Ormandy is satisfied, CloudFlare security bod Filippo Valsorda ‏has said that the patch won't do much to prevent against attack.

"Even the "fixed" WebEx ext means that just getting a XSS on *.webex.com (or the user clicking an OK bttn) gives you code exec!", he warned.