Cisco WebEx Browser Extension Remote Code Execution Vulnerability

Leila Sharma

A vulnerability in CISCO WebEx browser extensions for Google Chrome and Mozilla Firefox has been identified. Specifically, the vulnerability affects browser extensions for: Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx meetings when running on MS Windows. There are no workarounds which address this vulnerability. The vulnerability, which is due to a design defect in the extension, could allow an attacker to execute arbitrary code with the privileges of an affected browser.  In other words, this vulnerability could expose users to malware risk.

The following versions of the Cisco WebEx browser extensions are affected by the vulnerability:

  • Versions prior to 1.0.12 of the Cisco WebEx extension on Google Chrome
  • Versions prior to 1.0.12 of the Cisco WebEx extension on Mozilla Firefox

To determine which version of the Cisco extension for Chrome is in use:

  • Click the menu button (three dots at the upper right of the application) and choose, More Tools, Extensions. The extension version is listed next to the Cisco WebEx extension name.
    • The Cisco WebEx extension for Google Chrome, which organizations can use to identify hosts that contain the extension is: jlhmfgmfgeifomenelglieieghnjghma

To determine which version of of the Cisco extension for Firefox is in use:

  • Click the menu button (three horizontal bars at the upper right of the application), and choose Add-ons
  • Click the Extensions tab
  • Locate Cisco Webex Extension in the list of extensions and click the More link to obtain version information.

The Cisco WebEx extension for Google Chrome version 1.0.12 was released on July 13, 2017, and contains a fix for this vulnerability. Ensure that you are using a fixed version of the Cisco WebEx extension for Google Chrome by taking the following steps:

  1. In Chrome, open the Settings page
  2. Click Extensions
  3. Select the Developer mode checkbox
  4. Click Update extensions now
  5. Restart the Chrome browser

The Cisco WebEx extension for Mozilla Firefox version 1.0.12 was released on July 12, 2017,  and contains a fix for this vulnerability. Ensure that you are using a fixed version of the Cisco WebEx extension for Mozilla Firefox by taking the following steps:

  1. Click the menu button (three horizontal bars on the upper right of the application) and select Add-ons
  2. Click the Extensions tab
  3. Locate the Cisco WebEx Extension in the list of extensions and click on the More link to obtain version information
  4. Click the cogwheel next to the search bar and choose Check for Updates