Update: Version 1.0.5 of the Google Chrome WebEx plugin, released this morning, fixes this issue.
The Google 0-Day project announced a critical remote code execution vulnerability in Ciscos WebEx plugin for Google Chrome. This vulnerability allows a remote attacker to execute arbitrary code on the victims system by delivering it to the WebEx plugin via a special secret URL.
The secret pattern: cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html
Google set up a test page and published a detailed report about how this vulnerability can be used to execute code [1].
Note that version 1.0.3 of the plugin, which was released on Sunday (Jan 22nd), appears to be still vulnerable. At this point, it is probably best to uninstall the plugin and use a different browser for WebEx (of course, this issue may affect plugins for other browsers as well).
An attack would be invisible to the userif executed right. The user does not have to willingly join a WebEx meeting to exploit this vulnerability.
[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1096
—
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.