WebEx Plugs Critical ActiveX Control Flaw

Collaboration software specialist WebEx Communications has released a critical security update to correct a remote code execution flaw affecting its enterprise customers.

The vulnerability was discovered in the ActiveX control installed by WebEx when attending or hosting a meeting and could allow an attacker to launch code execution attacks on a users workstation.

The attack vector requires that the target is lured to view a maliciously rigged Web page.

The flaw is described as a design error where certain additional components are not validated before being downloaded from arbitrary locations.

This could be exploited by remote attackers to download and initialize a malicious DLL by tricking a user into visiting a specially crafted Web page, according to a warning from ISS X-Force, the company that discovered the bug.

Affected products include Internet Explorer 6.0.2800 with WebEx ActiveX version versions prior to ActiveX downloader 2.1.0.0; and Firefox 1.0.7 with WebEx ActiveX version previous to ActiveX downloader 2.1.0.0.

The company recommends that users upgrade to version 2.1.0.0 immediately.

/zimages/7/28571.gifClick hereto read about WebExs instant messaging collaboration with AOL.

According to the ISS X-Force warning, a successful attack may lead to exposure of confidential information, loss of productivity and further network compromise.

“Successful exploitation of these vulnerabilities could be used to gain unauthorized access to networks and machines. No authentication is required for an attacker to leverage this vulnerability,” the company warned.

/zimages/7/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.