Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Critical Vulnerability in Cisco WebEx Chrome Plugin

Published: 2017-01-24
Last Updated: 2017-01-24 16:09:55 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Update: Version 1.0.5 of the Google Chrome WebEx plugin, released this morning, fixes this issue.

The Google 0-Day project announced a critical remote code execution vulnerability in Cisco's WebEx plugin for Google Chrome. This vulnerability allows a remote attacker to execute arbitrary code on the victim's system by delivering it to the WebEx plugin via a special "secret" URL. 

The secret pattern:  cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html

Google set up a test page and published a detailed report about how this vulnerability can be used to execute code [1].

Note that version 1.0.3 of the plugin, which was released on Sunday (Jan 22nd), appears to be still vulnerable. At this point, it is probably best to uninstall the plugin and use a different browser for WebEx (of course, this issue may affect plugins for other browsers as well).

An attack would be invisible to the user if executed "right". The user does not have to willingly join a WebEx meeting to exploit this vulnerability.



Johannes B. Ullrich, Ph.D.

Keywords: chrome cisco webex
3 comment(s)
All things Apple Updated today: iTunes 12.5.5 (Windows), Safari 10.0.3, macOS 10.12.3, iOS 10.2.1, tvOS 10.1.1, watchOS 3.1.3 - Details at

If you have more information or corrections regarding our diary, please share.

Recent Diaries

How to Have Fun With IPv6 Fragments and Scapy
Jan 23rd 2017
1 day ago by Johannes (2 comments)

Sage 2.0 Ransomware
Jan 21st 2017
3 days ago by Brad (6 comments)

PowerShell 5.1 for Windows 7 and later
Jan 20th 2017
4 days ago by Basil (0 comments)

Making Windows 10 a bit less "Creepy" - Common Privacy Settings
Jan 18th 2017
6 days ago by Rob VandenBrink (3 comments) a web api for SEIM phishing hunts
Jan 17th 2017
1 week ago by Mark (0 comments)

View All Diaries →

Latest Discussions

Importance of File Integrity Monitoring software
created Jan 18th 2017
6 days ago by Promisec (0 replies)

New Incident Response/Forensics tool : srum-dump.exe
created Jan 12th 2017
1 week ago by Mark (1 reply)

How to make the social media accounts safe from hacking?
created Jan 6th 2017
2 weeks ago by Brad4333 (3 replies)

Time Warner Cable IMAP SSL certificate expired
created Dec 31st 2016
3 weeks ago by Paul (2 replies)

SonicWALL Setup
created Dec 29th 2016
3 weeks ago by HateTheSnow (3 replies)

View All Forums →

Latest News

View All News →

Top Diaries DDoS Attack
Oct 21st 2016
3 months ago by Johannes (9 comments)

Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
Nov 29th 2016
1 month ago by Johannes (21 comments)

Increase in Protocol 47 denys
Dec 29th 2016
3 weeks ago by Rick (11 comments)

TR-069 NewNTPServer Exploits: What we know so far
Nov 29th 2016
1 month ago by Johannes (12 comments)

Critical Vulnerability in Cisco WebEx Chrome Plugin
Jan 24th 2017
5 hours ago by Johannes (2 comments)