Popular Chrome plugin Cisco contained serious leak
A popular browser plugin from the Cisco-service WebEx contained a serious security flaw that the attackers made it possible for random code to run on the computer of a victim.
The code of the Chrome extension contained a ‘magic URL’, which could be used to a computer, as discovered Google researcher Tavis Ormandy.
He built a web page that the calculator on Windows-pc’s opened as he was visited by users with the WebEx plugin. But the attackers had the leak also can use it to serve malicious software to install.
As far as is known this did not happen. The WebEx plugin has an estimated 20 million users, which is probably an attractive target for cyber criminals, because the software business is used.
Ormandy reported the bug Saturday at Cisco, and then Monday, an update appeared that the problem is largely fixed. According to Ormandy, the bug, however, not entirely disappeared and may be the cause of the leak may still be abused.
Now when attempting to run code via the WebEx plugin, a warning is displayed. If users then click on the ‘OK’ button, they are still at risk. Beveiligingsonderzoeker Filippo Valsorda CloudFlare mentions the protection in the update, therefore, is still “pretty weak”.