WebEx

Jon_Kibler · August 15, 2008, 1:55pm

Yesterday, Cisco announced a critical vulnerability in WebEx:
http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml

The interesting thing about this vulnerability is that you can clean up
all of your WebEx installs, but as soon as you create a session with a
WebEx server that has not been upgraded, you are once again vulnerable.
In other words, you are at the mercy of your WebEx presenter.

BTW, despite the fact that Cisco says exploits are available, there is
not the first mention of this vulnerability on the WebEx web site.

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

Jon_Kibler · August 15, 2008, 4:17pm

Jon Kibler wrote:

BTW, despite the fact that Cisco says exploits are available, there is
not the first mention of this vulnerability on the WebEx web site.

I really hate to reply to my own postings, but in this case I will make
an exception.

I just got an email from a Cisco PSIRT manager who said that they were
working with WebEx to address the issue that WebEx does not have an
announcement of the vulnerability on its web site, and Cisco will try to
ensure a similar omission does not happen again.

I am glad to see that Cisco is headed on the right track!

Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253