Anyone who uses the popular Cisco WebEx extension for Chrome should update to the latest version pronto. Google security researcher Tavis Ormandy recently discovered a serious vulnerability in the Chrome extension that leaves PCs wide open to attack.
In older versions of the extension (before version 1.0.3) malicious actors could add a “magic string” to a web address or file hosted on a website. The magic string was designed to remotely activate the WebEx browser extension. Once the extension was activated the bad guys could execute malicious code on the target machine.
It’s a good idea for anyone who uses this extension to make sure it’s updated to the latest version given the severity of the vulnerability. To start type
chrome://extensions into the Chrome address bar and hit Enter. Next, scroll down until you see the entry for the Cisco WebEx Extension—extensions are organized alphabetically. To the right of the extension name you should hopefully see version 1.0.5, as pictured above.
If you don’t, you can do one of three things.
The first is to uninstall the extension by clicking the garbage can icon, and then reinstall it from the Chrome Web Store. The second method is to check the Developer mode box in the top right corner of the
chrome://extensionspage. That will reveal a button in the top right corner called Update extensions now. Click that, and you should be all set.
It’s not clear if version 1.0.5 offers any significant protection against the threat Ormandy describes. Apparently, all version 1.0.3 did was offer a pop-up anytime that magic code was used, according to Cloudfare security researcher Filippo Valsorda. That puts the onus on the user to make sure they really want to be using WebEx when that pop-up appears.
That brings us to the last solution. If you’d rather not bother with the extension it’s also possible to use a temporary, downloadable desktop program each time you want to use WebEx. That may not be convenient, but it’s an alternative.
Ormandy’s discovery raised enough eyebrows that Mozilla blocked WebEx for Firefox. At this writing, version 1.0.3 of the extension (released on Tuesday, January 24) was in the Firefox add-ons catalog; however, as Mozilla has yet to review the updated extension it can’t be installed on the mainstream version of Firefox 43 and up.