How to protect yourself from the WebEx extension

On Monday, Tavis Ormandy of Project Zero revealed that the Cisco WebEx Chrome extension (20M users) has a critical vulnerability.

OMFG🔥 The WebEx Chrome extension has a trivial code execution vulnerability: any website could just install malware on your machine silently https://t.co/3hsvUaQRJU
— Filippo Valsorda (@FiloSottile) 23 January 2017

There was a secret URL in WebEx that allowed any website to run arbitrary code. ¯\_(ツ)_/¯ https://t.co/sAqZrDN4ad
— Tavis Ormandy (@taviso) 23 January 2017

This is the tl;dr: ANY website can silently load a specially-named file, that can ask the WebEx extension to execute anything they want on your computer.

This is exactly the kind of "just visit this random website and now you have malware" scenarios that we haven't seen in a while (on a large scale), and that we don't want to go back to.

Needless to say, this is pretty damn irresponsible of Cisco, even if they deserve praise for fixing it fast, I guess.

An updated, fixed version (~~1.0.3~~ 1.0.7) is available. It will roll out automatically, but I don't know in how long.

Here is how to check that you have the latest version, how to install it if not, and how to further protect you from the weak patch by using a dedicated profile.

(Read the bug linked at the top for the l33t technical details, this is full of screenshot for the users.)

Checking and updating

First, go to the Extensions page.

Go to the extensions menu

If you have version ~~1.0.3~~ 1.0.7, you're good.

If you have version 1.0.7, you're good

If not, click the "Developer mode" checkbox and then click the "Update extensions now" button.

Developer mode and then update now

Make sure that the version updates to ~~1.0.3~~ 1.0.7 and then untick "Developer mode".

Using a dedicated profile

The protection of the patch is pretty weak. All it does is show a popup like the following. Clicking OK will still cause malware to be installed.

popup

Moreover, the webex.com website is still allowed to bypass the popup. If a vulnerability is found on the webex.com website, it can be used to compromise any machine running even the updated version.

Here is how you can make a dedicated WebEx profile to mitigate that risk.

First, uninstall WebEx from the Extensions page.

Then click the menu in the top-right corner (it can be your name or a small person icon) and click "Manage People".

Manage People

Click "Add person", call it "WebEx", and click "Save". You'll now be in a browser window with "WebEx" in the top-right corner (it's called a profile).

WebEx profile

Install WebEx again in this window/profile.

Don't use the WebEx profile for anything else than WebEx.

To open it later from your normal profile, click on the top-right menu, and then click "WebEx".

WebEx menu

Now any website you visit from your normal profile can't attack the WebEx extension.

To keep up to date on the issue, you might follow me on Twitter.