Cisco fixes major security flaws in Webex on Windows and Mac
Latest version of Webex includes patches for both high severity vulnerabilities
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Cisco has addressed two high severity vulnerabilities in its Webexvideo conferencing softwarethat could have allowed unprivileged attackers to run programs and code on vulnerable systems.
The two vulnerabilities, tracked as CVE-2020-3263 and CVE-2020-3342, affect Cisco Webex Meetings Desktop App releases earlier than version 39.5.12. and all Webex users should update their software to the latest version to avoid falling victim to any potential exploits.
In anadvisoryconcerning the arbitrary program execution flaw affecting Webex’s Windows client, Cisco provided more details on the vulnerability and explained what an attacker could do to a user’s system following a successful exploit, saying:
“The vulnerability is due to improper validation of input that is supplied to application URLs. The attacker could exploit this vulnerability by persuading a user to follow a malicious URL. A successful exploit could allow the attacker to cause the application to execute other programs that are already present on the end-user system. If malicious files are planted on the system or on an accessible network file path, the attacker could execute arbitrary code on the affected system.”
Webex vulnerabilities
Cisco also patched a remote code execution vulnerability in Webex’s Mac client that was caused by improper certificate validation on software update files downloaded by the software.
The vulnerability could allow an unauthenticated attacker to remotely execute arbitrary code with the same privileges of the logged in user on macOS. In aseparate advisory, Cisco explained how an attacker could exploit the vulnerability, saying:
“An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Cisco has since fixed both of these vulnerabilities with the release of version 40.1.0 of Webex for Windows and version 39.5.11 of Webex for Mac. Windows and Mac users can update their Cisco Webex clients by followingthese instructionswhile admins can update both versions of the client by followingthis guide.
ViaBleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
This new malware utilizes a rare programming language to evade traditional detection methods
Google puts Nvidia on high alert as it showcases Trillium, its rival AI chip, while promising to bring H200 Tensor Core GPUs within days
Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time
