WebEx remains the largest market share presence in the web conferencing field. That makes security vulnerabilities of higher concern than for some other webinar technologies that aren’t quite as ubiquitous.
Core Security Technologies put out a press release yesterday announcing a now-fixed stack overflow vulnerability in both the WebEx archive player and in polls conducted in WebEx Meeting Center. They were able to create a situation that crashed the computers of other participants in a WebEx web conference.
Note that this was not something that would let an attacker install a virus on your computer or mysteriously erase your files or anything like that. It was a situation that let random code fill up memory locations, causing unexpected behavior and halting proper execution of programs on the computer.
WebEx has fixed both holes. Since Meeting Center is a hosted (SaaS) application, the patch is automatically in place when you run a meeting. The WebEx player (for playing back recordings) is an application that is installed on your personal computer, so if you play back WebEx recordings you should definitely download and reinstall the latest version of the player from the WebEx site.
If you are interested in digging into the technical details, Core Security has all the juicy bits on a web page explaining the vulnerability. Of particular interest is their historical timeline of the problem. It was discovered and reported to Cisco on October 4 of last year. Core’s timeline author sounds a little peeved to me as he describes some stonewalling and lack of movement from Cisco initially, claiming that they can’t reproduce the problem and then stopping communication for a while. Then there is additional back and forth between the companies as they debate the merits of informing customers or keeping it quiet so that bad guys don’t have a chance to exploit the opening.
The sentence that really gets my attention is this one: “2010-11-15: Cisco states that fixed code will be deployed in mid-December, but since WebEx Meeting Center runs on a SaaS environment it takes about four or five weeks for all clients to be running the latest version of the code.”
Huh? I thought the advantage of SaaS is that a central code base can be more quickly updated and put into production for everybody who uses it. The fact that a priority fix to a fatal vulnerability takes four to five weeks to propagate throughout the user base is rather worrisome.
Oh well. Update your WebEx player. And think about whether you want to use hosted or premise-installed software.