Cisco Systems has released security updates for the software clients installed by users who attend WebEx-based meetings to fix a critical vulnerability that could allow remote attackers to compromise their computers.
“An attacker could exploit this vulnerability by providing meeting attendees with a malicious Flash (.swf) file via the file-sharing capabilities of the client,” Cisco said in an advisory. “Exploitation of this vulnerability could allow arbitrary code execution on the system of a targeted user.”
The flaw affects Cisco WebEx Business Suite (WBS31) client builds prior to T31.23.2, Cisco WebEx Business Suite (WBS32) client builds prior to T32.10, Cisco WebEx Meetings with client builds prior to T32.10 and Cisco WebEx Meetings Server builds prior to 2.8 MR2.
Cisco WebEx Business Suite (WBS) and Cisco WebEx Meetings are hosted multimedia conferencing solutions, while the Cisco WebEx Meetings Server is a standalone solution that customers can run in their own private clouds. To attend meetings, Windows, Linux or Mac users have to install the corresponding WebEx clients offered by these solutions.
Companies can check the version of the WebEx clients offered to attendees by logging into their account on the Cisco WebEx meeting site, going to the Support > Downloads section and looking on the About Meeting Center page. From inside the client, users can check the version by going to Help > About Cisco WebEx Meeting Center.
“Customers who do not receive automatic software updates may be running versions of Cisco WebEx that have reached end of software maintenance and should contact customer support,” Cisco warned.
This vulnerability is particularly dangerous because Cisco WebEx is one of the most widely used web conferencing software in business environments. However, some users might have installed the client at some point to attend a meeting and then never removed it.
Such users might want to uninstall their existing version and install the latest version only when they need to attend another WebEx-based meeting in the future. Cisco provides WebEx client uninstall tools for Windows and Mac on a separate support page.
Cisco also has patched a critical vulnerability in its Unified Computing System (UCS) Director that could allow authenticated, remote attackers to view unauthorized information for any virtual machine.
Chrome Gets One Step Closer to Full Distrust of Symantec Certificates
With the Chrome 66 release this week, Google moved one step closer to its goal of distrusting all HTTPS certificates issued by Symantec and other certificate authorities it used to control, including Thawte, VeriSign, Equifax, GeoTrust and RapidSSL.
The new Chrome version removes trust in certificates issued from Symantec’s CA infrastructure before June 1, 2016. The certificates issued after that date will also be distrusted, but in Chrome 70, which will be released this fall.
The decision to deprecate Symantec certificates was announced by Google in September and was echoed by Mozilla after repeated incidents of certificate mis-issuance at Symantec and its CA subsidiaries over the years. To avoid the massive fallout to customers, Symantec, one of the largest CAs on the internet, sold its certificate business to Digicert, which now offers to replace all affected certificates at no cost.
For many users, the transition should be fairly easy given the advance notice and the phased deprecation plan. However, some organizations with long-lived certificates installed on thousands of systems or those with certificates installed on remote and hard-to-reach hardware devices might have some problems meeting the deadlines.
Chrome 66 is also running a small trial for Site Isolation, a feature that forces every website to have its own dedicated rendering process inside the browser and helps block Spectre attacks. According to Google, the trial is in preparation for a broader upcoming launch.