Cisco Webex Plugin Vulnerability – Part of a Much Bigger Issue
Recently Cisco published a critical vulnerability alert regarding their Webex browser plugin. While the plugin vulnerability, which affected Firefox, Chrome and Internet Explorer, was very serious it points to a much bigger issue.
First the plugin issue.
The bug affects Webex Meeting Server, Meeting Center, Event Center, Training Center and Support Center. Due to a design flaw in the API, an attacker could execute arbitrary code with the permissions of the user and the browser.
There are no workarounds for this bug. The only two options are to uninstall the Webex browser plugins or to install the updated software. This assumes that you even know which computers have the affected Webex plugins installed on them.
Apparently, these browser plugins do not update themselves automatically.
So what is the bigger issue?
While organizations and individuals have gotten somewhat of a handle around patching Microsoft Windows every month, that is only the tip of the iceberg.
Every piece of software that is installed in your organization needs to be patched and needs to be patched periodically (that may mean daily, weekly or monthly, depending on the vendor’s patch release schedule).
Back before I gave up totally on Adobe Flash, there were often daily updates. On occasion, there were patches in the morning and more patches in the afternoon. As soon as the patches are released, the hackers reverse engineer them knowing that many companies and users will not install the patches. At that point they have a roadmap for an attack.
As a company or an individual user, that means that you need to understand what software is installed everywhere – including on servers, workstations, printers, switches, routers. It includes software that IT installs and software that users install. Saying Windows is installed on a computer is not sufficient. What optional software is installed along with Windows is much harder to track.
For many organizations and most individuals, they don’t even track every piece of software in the organization. For example, there is some security research that outlines a large number flaws in printer drives from a number of manufacturers. Some printers had as many as a dozen flaws and the researchers only tested a handful of printers (see the report here). My guess is that patching printer drivers on every desktop and laptop computer in organization is not the highest priority.
The bad news is that the hackers know this, so getting you to exploit one of those vulnerabilities, is their priority.
As a business or personal user, there are three things to do:
#1 – UNINSTALL any software anywhere (desktops, laptops, servers, phones, tablets, routers, switches, network storage, etc. ) that you don’t need. Software that is not installed doesn’t provide an attack surface.
#2 – INVENTORY all software that is installed everywhere. That would include the location, the name and the version.
#3 – CREATE a system to track when updates are available, when they get installed and on which machines they get installed on. This is a pretty big matrix (number of devices times number of software modules).
There are products that will track software that is installed and some will even update some of that software, but when it comes to esoteric products, you pretty much have to wrestle it to the ground yourself.
Even for Windows, many of the updates that Microsoft tracks fall into the recommended and optional category and for most people, those updates do not get installed.
This is one case where less (software products) is more (better).
Information for this post came from Cisco’s website.