XSS on WebEx domains undoes previous fixes to Cisco WebEx Chrome extension

The more than 20 million users of Cisco's WebEx Chrome extension need to update again, as a way to bypass the changes made earlier this week.

cisco-webex-xss-chrome-extension.png

At the start of this week, Google Project Zero security researcher Tavis Ormandy made public his discovery of a remote code execution vulnerability within Cisco's WebEx extension for Chrome.

In his comments on Cisco's patches, which whitelisted code execution on the webex.com domain and prompted the user on other domains, Ormandy sagely warned of the situation the networking giant had to address later in the week.

"I think we will consider this issue fixed now. Hopefully, webex.com is well maintained and not full of XSS," he said.

It did not take Ormandy long to find a cross-site scripting (XSS) hole that allowed him to perform remote code execution.

"This requires an XSS on *.webex.com, but they're unfortunately not difficult to find," the security researcher said.

In response, Cisco has released version 1.0.7 of the extension, which introduces a whitelist for clamping down on the properties Ormandy was exploiting.

"It looks like they correctly handle Mac and Windows, and have also added some verification on GpcInitCall/GpcExitCall/etc so that functions have to match a RegEx. This looks like a huge improvement," Ormandy wrote.

"Another very quick response from Cisco, I continue to be impressed with Cisco's response time."

Following the unmasking of the earlier WebEx bug, images of claimed XSS exploits appeared on social media.

"I'm an adversary and I can find a single XSS on that domain, all I need to do at any point in the future is intercept an outgoing HTTP request from Chrome, insert a 302 redirect, and I have an instant RCE on who knows how many machines? At least 10M, according to the extension page," Mozilla's April King said earlier this week.

Filippo Valsorda of Cloudflare recommended users install the WebEx extension in a dedicated Chrome profile to protect a user's main profile from attack.