Collaboration software specialist WebEx Communications has released a critical security update to correct a remote code execution flaw affecting its enterprise customers.
The vulnerability was discovered in the ActiveX control installed by WebEx when attending or hosting a meeting and could allow an attacker to launch code execution attacks on a users workstation.
The attack vector requires that the target is lured to view a maliciously rigged Web page.
The flaw is described as a design error where certain additional components are not validated before being downloaded from arbitrary locations.
This could be exploited by remote attackers to download and initialize a malicious DLL by tricking a user into visiting a specially crafted Web page, according to a warning from ISS X-Force, the company that discovered the bug.
Affected products include Internet Explorer 6.0.2800 with WebEx ActiveX version versions prior to ActiveX downloader 220.127.116.11; and Firefox 1.0.7 with WebEx ActiveX version previous to ActiveX downloader 18.104.22.168.
The company recommends that users upgrade to version 22.214.171.124 immediately.
According to the ISS X-Force warning, a successful attack may lead to exposure of confidential information, loss of productivity and further network compromise.
“Successful exploitation of these vulnerabilities could be used to gain unauthorized access to networks and machines. No authentication is required for an attacker to leverage this vulnerability,” the company warned.