Cisco starts patching critical flaw in WebEx browser extension
Cisco Systems has started to patch a critical vulnerability in its WebEx collaboration and conferencing browser extension that could allow attackers to remotely execute malicious code on computers.
The company released a patched version of the extension — 1.0.7 — for Google Chrome on Thursday and is working on similar patches for the Internet Explorer and Mozilla Firefox versions.
The vulnerability was found by Google security researcher Tavis Ormandy and stemmed from the fact that the WebEx extension exposed functionality to any website that had “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html” in its URL or inside an iframe. Some of that WebEx functionality allowed for the execution of arbitrary code on computers.