The flaw, discovered by researcher Elazar Broad and rated "highly critical" by Secunia, is confirmed in version 20.2008.2601.4928. Other versions may also be affected.
This vulnerability is due to improper handling of arguments passed to the "NewObject()" method within the WebexUCFObject ActiveX control (atucfobj.dll). By convincing a user to visit a specially crafted web page, a remote attacker may be able to execute arbitrary code.
Broad said Webex has released version 20.2008.2606.4919 of the ActiveX control with a fix for the vulnerability. The control should be updated when the user joins a meeting," he said.
US-CERT is strongly encouraging Webex Meeting Manager users to upgrade to this version or set the kill bit for the following CLSID:
- 32E26FD9-F435-4A20-A561-35D4B987CFDC
Instructions for setting kill bits in Internet Explorer can be found in this Microsoft KB article.