Cisco Patches Critical Playback Bugs in WebEx Players

Cisco Systems issued a Critical alert on Wednesday warning of multiple vulnerabilities in its popular WebEx player. Six bugs were listed in the security advisory, each of them relating to holes in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files.

网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
“A remote attacker could exploit these vulnerabilities by providing a user with a malicious ARF or WRF file via email or URL and convincing the user to launch the file,” according to Cisco.
Related Posts
许多公司网络安全措施松懈,没有及时安装更新导致遭受网络攻击,甚至包括一些互联网安全公司有时都未能意识到自己的网络已遭到攻击。
Cisco warned exploitation of the vulnerabilities could allow arbitrary code execution on a targeted system. In less severe cases, the vulnerabilities could cause players to crash.
Vulnerable products include:
No workarounds are available for any of the vulnerabilities. Cisco has released software updates that address the bugs. It added, the Cisco Product Security Incident Response Team is not aware of any public exploits of the six vulnerabilities.
The vulnerabilities impact Cisco WebEx ARF Player and the Cisco WebEx WRF Player, both used to rerun previously saved WebEx meetings. Cisco said the players are automatically installed when a user attempts to playback saved meetings saved on a WebEx server.
As part of its mitigation Cisco said it has updated Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and Cisco WebEx ARF and WRF Players.
The Common Vulnerabilities and Exposures (CVE) numbers are CVE-2017-12367, CVE-2017-12368, CVE-2017-12369, CVE-2017-12370, CVE-2017-12371 and CVE-2017-12372. Each of the CVE’s have a base score of 9.6 out of 10 when it comes to severity.
Four of the six CVE are for critical RCE vulnerabilities. The CVE-2017-12367 is tied to a denial of service vulnerability. And CVE CVE-2017-12369 is tied to a Cisco WebEx Network Recording Player out-of-bounds vulnerability.
“To exploit these vulnerabilities, the player application would need to open a malicious ARF or WRF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using email), or by directing a user to a malicious web page. The vulnerabilities cannot be triggered by users who are attending a WebEx meeting,” Cisco said.
In July, Cisco also updated its WebEx browser extensions for Chrome and Firefox after Google Project Zero researcher Tavis Ormandy and Divergent Security’s Cris Neckar privately disclosed a vulnerability that could be abused to remotely run code on a computer running the browser extension.
网络时代的保护隐私令人头痛,互联网广告公司使用程序分析用户历史行为,并进行预测,提供定向的个性化广告,那些社交攻击的黑客们和喜欢进行人肉搜索的家伙们在使用这些类似的功能。

猜您喜欢

…2016年度资源池设备第一批采购项目开放平台中端磁盘阵列项目…
安环人员眼中的最简单不过的EHS知识竟然可以这样宣传
网络安全法网络宣传片 002 国家网络安全的现状与重要性概述
上海“冰柜藏尸案”开庭:男子杀妻后阳台藏尸三个月
THAITALKFOREX MAHINDRAUSA
安全月安全生产教育动画片——小李的一天