It feels like no time at all since businesses were being advised to update their installations of Cisco’s WebEx conferencing software to deal with a security issue.
And that’s because, it is barely any time at all…
Little over a week ago, Cisco issued an advisory warning that an attacker could spread a boobytrapped .SWF Flash file to other WebEx participants.
Now WebEx users are being warned about another security vulnerability, which could see remote attackers execute malicious code on the computers of targeted users.
Cisco says that the problem lies in WebEx Network Recording Player for Advanced Recording Format files. That’s quite a mouthful, so let’s call them ARF files after their extension .ARF.
Normally, WebEx ARF files hold video recording data from online meetings, as well as other information including attendee lists, and can be opened with the Cisco WebEx player.
However, researcher Kushal Arvind Shah of Fortinet discovered that it was possible for an ARF file to be maliciously crafted in such a way that unauthorised code could be executed on users’ computers. All you would have to do is trick a user into opening the boobytrapped file, perhaps by sending it as an attachment or link via email pretending that it was an archive of an online meeting.
The following versions of the WebEx software are said to be affected by the vulnerability:
- Cisco WebEx Business Suite (WBS31) client builds prior to T31.23.4
- Cisco WebEx Business Suite (WBS32) client builds prior to T32.12
- Cisco WebEx Meetings with client builds prior to T32.12
- Cisco WebEx Meeting Server builds prior to 3.0 Patch 1
The fact that WebEx is so widely used inside businesses could make it an increasing target for malicious hackers eager to break inside specific organisations.
Fortunately, the vulnerability was disclosed responsibly to Cisco, and fixes are now being rolled out to customers that are licensed to receive updates. And if your business is not licensed for WebEx software updates you may be wise to either renegotiate your contract, or remove WebEx from your systems.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
"Fortunately, the vulnerability was disclosed responsibly to Cisco, and fixes are now being rolled out to customers that are licensed to receive updates. And if your business is not licensed for WebEx software updates you may be wise to either renegotiate your contract, or remove WebEx from your systems."
That's great until you realise that Webex is resold by value added resellers like Vodafone etc who have their own update schedule andadd a whole other level of complexity to the equation.