On Monday, Tavis Ormandy of Project Zero revealed that the Cisco WebEx Chrome extension (20M users) has a critical vulnerability.
OMFG🔥 The WebEx Chrome extension has a trivial code execution vulnerability: any website could just install malware on your machine silently https://t.co/3hsvUaQRJU— Filippo Valsorda (@FiloSottile) 23 January 2017
There was a secret URL in WebEx that allowed any website to run arbitrary code. ¯\_(ツ)_/¯ https://t.co/sAqZrDN4ad— Tavis Ormandy (@taviso) 23 January 2017
This is the tl;dr: ANY website can silently load a specially-named file, that can ask the WebEx extension to execute anything they want on your computer.
This is exactly the kind of "just visit this random website and now you have malware" scenarios that we haven't seen in a while (on a large scale), and that we don't want to go back to.
Needless to say, this is pretty damn irresponsible of Cisco, even if they deserve praise for fixing it fast, I guess.
An updated, fixed version (
1.0.3 1.0.7) is available. It will roll out automatically, but I don't know in how long.
Here is how to check that you have the latest version, how to install it if not, and how to further protect you from the weak patch by using a dedicated profile.
(Read the bug linked at the top for the l33t technical details, this is full of screenshot for the users.)
Checking and updating
First, go to the Extensions page.
If you have version
1.0.3 1.0.7, you're good.
If not, click the "Developer mode" checkbox and then click the "Update extensions now" button.
Make sure that the version updates to
1.0.3 1.0.7 and then untick "Developer mode".
Using a dedicated profile
The protection of the patch is pretty weak. All it does is show a popup like the following. Clicking OK will still cause malware to be installed.
Moreover, the webex.com website is still allowed to bypass the popup. If a vulnerability is found on the webex.com website, it can be used to compromise any machine running even the updated version.
Here is how you can make a dedicated WebEx profile to mitigate that risk.
First, uninstall WebEx from the Extensions page.
Then click the menu in the top-right corner (it can be your name or a small person icon) and click "Manage People".
Click "Add person", call it "WebEx", and click "Save". You'll now be in a browser window with "WebEx" in the top-right corner (it's called a profile).
Install WebEx again in this window/profile.
Don't use the WebEx profile for anything else than WebEx.
To open it later from your normal profile, click on the top-right menu, and then click "WebEx".
Now any website you visit from your normal profile can't attack the WebEx extension.
To keep up to date on the issue, you might follow me on Twitter.