Google researcher finds major security flaw in Cisco's WebEx Chrome extension

By Brad Jones Published January 26, 2017

A Google Chrome browser extension with a user base of 20 million has been updated to patch a serious security vulnerability that made it possible to run malicious code with a minimum of effort. Users of the Cisco Systems WebEx extension are encouraged to make sure that they have updated to version 1.0.3.

The issue was discovered by security researcher Tavis Ormandy, who alerted the company privately before publishing a blog post discussing the situation. Ormandy is a member of Project Zero, a team assembled by Google to hunt down zero-day vulnerabilities.

Recommended Videos

WebEx uses a 64-character string to remotely start a meeting on a PC with the extension installed. This string simply needs to be included in the URL of a file or resource hosted by a website — it can even be tucked away in a HTML-based iframe tab, making it more difficult to detect.

Ormandy found that this string could be used for much more than just initializing a WebEx session. Malicious entities could run any code or command they liked on another user’s system, simply by having them visit a site that contained this string while using the Chrome browser with the WebEx extension running.

This particular vulnerability had the potential to be catastrophic, given that it targeted a service that’s commonly used in an enterprise setting. Security researcher Martijn Grooten noted that the exploit could have caused chaos if it were combined with a ransomware attack, commenting on the situation in a report by Ars Technica.

Unfortunately, there are still some lingering worries about the security of the extension. Specifically, there are concerns that attackers would be able to take advantage of the gap in its security if Cisco’s WebEx website was to suffer a cross-site scripting vulnerability.

For now, the best recourse is to ensure that all installations of the WebEx extension have been updated to version 1.0.3. This patch should have applied automatically, but users can check for themselves by accessing the Extensions menu in Chrome.

Topics

Former Digital Trends Contributor

Brad is an English-born writer currently splitting his time between Edinburgh and Pennsylvania. You can find him on Twitter…

Computing

This Google Chrome feature may save you from malware

Google Chrome app on s8 screen.

There are probably hundreds of thousands of Google Chrome extensions out there, and with so many options to choose from, it can be hard to know whether the plugin you want to install is hiding malware nasties.

That could become a thing of the past, though, as Google is testing a feature that will warn you if an extension you installed has been removed from its Chrome Web Store.

Computing

Chrome has a security problem — here’s how Google is fixing it

Google Chrome icon in mac dock.

Google is looking to get ahead of high-severity vulnerabilities on its Chrome browser by shortening the time between security updates.

The brand hopes that more frequent updates will give bad actors less time to access and exploit n-day and zero-day flaws found within Chrome browser code.

Computing

Google may have just fixed Chrome’s most annoying problem

A Macbook with Google Chrome opened to a Gmail inbox.

While Google Chrome is one of the best web browsers, over the years it has gained a reputation for being something of a resource hog, gobbling up your PC’s memory like it’s going out of style. That can be a problem if you’re running other resource-heavy tasks and don’t want things to slow down. Now, Chrome has been updated with two new features that cut down on memory usage and extend your laptop’s battery life, according to Google. The changes are set to roll out today with the latest release of Chrome on desktop (version m108).The first new feature, dubbed Memory Saver, is designed to reduce the amount of memory Chrome’s tabs use. It does this by freeing up memory from inactive tabs, and putting them to sleep so they can’t monopolize your system’s resources. When you need to access the tabs again, they will be reloaded and become active. The goal of Energy Saver, meanwhile, is fairly self-explanatory -- helping your laptop battery last longer -- but it does so in a somewhat interesting way. When your battery drops to 20%, Chrome will try to prolong your battery life by “limiting background activity and visual effects for websites with animations and videos.”Presumably, this means Chrome will limit the kind of flashy effects that have made a comeback in web design in recent years. Google says that when these new features launch, users will still be able to customize them to their liking. You can disable either Memory Saver or Energy Saver (or both), and mark certain websites as exempt in Chrome’s settings. The changes could turn out to be important. While Chrome has managed to become the dominant Windows web browser and one of the best browsers for Mac, it has been plagued by poor memory management for years. If Memory Saver and Energy Saver are able to help ameliorate that -- and make your battery last longer too -- then Google might have gone some way to fixing Chrome’s biggest problem. Both Memory Saver and Energy Saver will be launched globally over the next few weeks. The features are coming to Chrome on Windows, macOS, and ChromeOS.