Severe vulnerability in Cisco's WebEx extension for Chrome leaves PCs open to easy attack

If you have the Cisco WebEx Chrome browser extension installed make sure you're running the latest version.

5018939048 1240b02422 o
Prayitno (CC BY 2.0)

Anyone who uses the popular Cisco WebEx extension for Chrome should update to the latest version pronto. Google security researcher Tavis Ormandy recently discovered a serious vulnerability in the Chrome extension that leaves PCs wide open to attack.

In older versions of the extension (before version 1.0.3) malicious actors could add a “magic string” to a web address or file hosted on a website. The magic string was designed to remotely activate the WebEx browser extension. Once the extension was activated the bad guys could execute malicious code on the target machine. 

ciscowebextension Ian Paul

The impact on you at home: It’s a good idea for anyone who uses this extension to make sure it’s updated to the latest version given the severity of the vulnerability. To start type chrome://extensions into the Chrome address bar and hit Enter. Next, scroll down until you see the entry for the Cisco WebEx Extension—extensions are organized alphabetically. To the right of the extension name you should hopefully see version 1.0.5, as pictured above.

Protect yourself

If you don’t, you can do one of three things.

The first is to uninstall the extension by clicking the garbage can icon, and then reinstall it from the Chrome Web Store. The second method is to check the Developer mode box in the top right corner of the chrome://extensions page. That will reveal a button in the top right corner called Update extensions now. Click that, and you should be all set.

It’s not clear if version 1.0.5 offers any significant protection against the threat Ormandy describes. Apparently, all version 1.0.3 did was offer a pop-up anytime that magic code was used, according to Cloudfare security researcher Filippo Valsorda. That puts the onus on the user to make sure they really want to be using WebEx when that pop-up appears. 

webex chrome or desktop app IDG

That brings us to the last solution. If you’d rather not bother with the extension it’s also possible to use a temporary, downloadable desktop program each time you want to use WebEx. That may not be convenient, but it’s an alternative.

Ormandy’s discovery raised enough eyebrows that Mozilla blocked WebEx for Firefox. At this writing, version 1.0.3 of the extension (released on Tuesday, January 24) was in the Firefox add-ons catalog; however, as Mozilla has yet to review the updated extension it can’t be installed on the mainstream version of Firefox 43 and up.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon