JPCERT-AT-2017-0028 JPCERT/CC 2017-07-18 <<< JPCERT/CC Alert 2017-07-18 >>> Alert Regarding Vulnerability in Cisco WebEx Browser Extension (CVE-2017-6753) https://www.jpcert.or.jp/english/at/2017/at170028.html I. Overview On July 17, 2017 (US time), Cisco released a security advisory about a vulnerability of Cisco WebEx Browser Extension (CVE-2017-6753). If you visit a specially crafted web page that exploits the vulnerability, a remote attacker may execute arbitrary code on a Windows PC with Cisco WebEx browser extension installed. For more information on the vulnerability, please refer to the information provided by Cisco. In addition, the reporter of this vulnerability has released a demonstration on the vulnerability. Cisco Systems Cisco WebEx Browser Extension Remote Code Execution Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex Cisco has rated this vulnerability as "Critical". If you are using the affected version of Cisco WebEx Browser Extension, please apply the security update programs by referring to the information in "III. Solution". II. Affected Products The following versions are affected by this vulnerability: - Cisco WebEx extension on Google Chrome (prior to version 1.0.12) - Cisco WebEx extension on Mozilla Firefox (prior to version 1.0.12) Since this vulnerability is affected only when Cisco WebEx Browser extension is installed on the affected browser in Windows, the following products are not affected by this vulnerability. - Cisco WebEx Productivity Tools - Cisco WebEx browser extensions for Mac or Linux - Cisco WebEx on Microsoft Edge or Internet Explorer The currently used version can be checked by the following method. (1) Google Chrome * Click the menu button and choose "More Tools" > "Extension" (or access "chrome://extensions/") * The Version will be displayed (2) Mozilla Firefox * Click the menu button, choose "Add-ons", and click the "Extensions" tab (or access "about:addons") * Locate "Cisco WebEx Extension" in the list of extensions and click the "More" link * The version will be displayed III. Solution Cisco has released the version that addresses the vulnerability. Please apply the update using the function of each browser. - Cisco WebEx extension on Google Chrome (1.0.12) - Cisco WebEx extension on Mozilla Firefox (1.0.12) In addition, Cisco has released the information on how to remove WebEx related software, in case you are not using it. Cisco Systems Meeting Services Removal Tool https://help.webex.com/docs/DOC-2672#jive_content_id_Meeting_Services_Removal_Tool IV. References US-CERT Cisco Releases Security Updates https://www.us-cert.gov/ncas/current-activity/2017/07/17/Cisco-Releases-Security-Updates Cisco Systems Cisco WebEx Browser Extension Remote Code Execution Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex Google Chrome Cisco WebEx Extension (Google Chrome) https://chrome.google.com/webstore/detail/cisco-webex-extension/jlhmfgmfgeifomenelglieieghnjghma?hl=en Mozilla Firefox Cisco WebEx Extension (Mozilla Firefox) https://addons.mozilla.org/en-US/firefox/addon/cisco-webex-extension/ If you have any information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/