Update January 31, 2017
Cisco has released software updates for their WebEx browser extension for Google Chrome, Firefox, and Internet Explorer that address this vulnerability. Please visit the Cisco Security Advisory page for more details on how to update your browser extensions.
What happened?
On January 24, 2017, Cisco released a security advisory regarding a high severity vulnerability in their WebEx browser extension. According to Cisco, this vulnerability allows “an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system.”
This means that an attacker can commandeer your computer upon visiting an attacker-controlled website (i.e., “watering hole attack”) or opening a malicious link.
Who’s affected?
Cisco explains that this vulnerability affects the WebEx browser extension for Google Chrome, Mozilla Firefox, and Internet Explorer running on the Windows operating system.
This vulnerability does not affect Cisco WebEx browser extensions on Mac or Linux platforms, or Cisco’s WebEx browser extensions for Microsoft Edge.
What should I do if I’m affected?
Cisco attempted to fix this vulnerability in v1.0.5 of the WebEx browser extension, but this version does not fully address the vulnerability. Cisco is working on a new version and expects it to be available soon.
Until Cisco releases a patch for the vulnerable WebEx browser extension, we urge Stanford community members to remove or disable the WebEx extension. Below are instructions for removing browser extensions:
More information about the Cisco WebEx Browser Extension Remote Code Execution Vulnerability can be found in the Cisco security advisory.
