Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how Cisco fixes the serious loopholes in Webex Meetings for Windows and macOS. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Cisco has released security updates to fix two high-risk vulnerabilities in Cisco Webex Meetings Desktop App for Windows and macOS that can be exploited by unprivileged attackers to run programs and code on fragile computers.

Cisco Webex Meetings is an online and videoconferencing software that makes it easy for users to schedule and join meetings. The platform also provides presentation, screen sharing and recording functions.

These two vulnerabilities, numbered CVE-2020-3263 and CVE-2020-3342, affect locked versions of Cisco Webex Meetings Desktop App prior to 39.5.12 and Cisco Webex Meetings Desktop App for Mac prior to 39.5.11, respectively.

Execute programs remotely on Windows systems

This arbitrary program execution security vulnerability that affects Windows clients stems from the improper validation of URL submitted to the affected version of Cisco Webex Meetings Desktop App.

Remote unauthenticated attackers can use CVE-2020-3263 to execute programs on systems running an unrepaired version of Cisco Webex Meetings Desktop App. An attacker can exploit this vulnerability by luring the target user into clicking on a malicious URL.

"successfully exploiting this vulnerability, an attacker can cause the application to execute other programs that already exist on the end user system," Cisco wrote in a security bulletin.

"if an attacker implants a malicious file on this system or on an accessible network file path, the attacker can execute arbitrary code on the affected system."

Execute arbitrary code remotely on Macs

The remote code execution vulnerability found on the macOS client is due to a certificate validation error in the software update file downloaded by the affected Cisco Webex Meetings Desktop App for Mac version.

If the Macs machine is running an unrepaired version of Cisco Webex Meetings Desktop App for Mac, an unauthenticated attacker can remotely execute arbitrary code with the privileges of the user who logs in to the computer with CVE-2020-3342.

"an attacker can exploit this vulnerability by enticing a user to visit a website that returns a malicious file to the client, which appears to be a file returned from a legitimate Webex website," Cisco explained.

"the client may not be able to correctly verify the encryption protection of the provided file before executing the provided file as part of the update."

Flexible methods and mitigation measures

Although there is no known workaround to fix these two vulnerabilities, Cisco has released free software updates to fix the vulnerabilities.

At the time of the security announcement, Cisco's product safety emergency response team was not aware of any public reports or malicious exploitation of these two vulnerabilities.

Cisco fixed CVE-2020-3263 in CiscoWebex Meetings Desktop App 40.1.0 and later (for locked versions, 39.5.12 and later) and CVE-2020-3342 in CiscoWebex Meetings Desktop App for Mac 39.5.11 and later (locked versions).

This is not the first time Cisco's Webex online video collaboration software has discovered and fixed a vulnerability.

Last year, Cisco also fixed a claim vulnerability in Cisco Webex Meetings Desktop App for Windows's Update Service. An unauthenticated local attacker can exploit this vulnerability to escalate privileges and run arbitrary commands with SYSTEM privileges.

This is how the Cisco shared by the editor fixes the serious loopholes in Webex Meetings for Windows and macOS. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.