Whether you’re loyal to Microsoft’s Internet Explorer, or whether you opt for one of the the dozens of other web browsers available to download and use for free out there (such as Google Chrome, Opera, Mozilla’s Firefox or Mac Safari), you are probably using your preferred browser to access both personal and professional websites. These wondrous tools that are part of our daily (digital) lives can now replace other existing software thanks to something called an extension.
Indeed, a browser extension (also known as a plugin or an add-on) allows web developers to extend the software features supported by the browser. This can simply mean adding an additional function to your search bar or it can go as far as improving internal browser tools.
Warning: there is such a thing as too many browser extensions.
Unfortunately, no good thing is perfect and we can say the same for extensions. Often requiring access to sensitive browser data and even system data, they hide behind their innocent packaging as a dormant cybersecurity threat.
The latest cybersecurity horror of this sort, dubbed CVE-2017-3823, applies to Cisco’s special-purpose WebEx browser extension. WebEx is a popular collaboration tool for attending online events such as meetings, webinars and videoconferences. The news made the headlines when Tavis Ormandy at Google’s Project Zero discovered and documented the bug. The security issue in question is deemed as highly critical, underlining a remote code execution hole related to the Cisco WebEx, a service currently being used by more than 20 million people worldwide.
At the present time, we are not aware if this bug is actively exploited, but it’s probably safe to say that, if your organization uses WebEx and you have the browser extension installed, you may be at risk. Also, according to Cisco, the following browsers are concerned: Internet Explorer, Chrome and Firefox on Windows. On the other hand, Microsoft Edge on Windows and all browsers on Mac and on Linux are safe. This vulnerability specifically affects the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Meetings Center when they are running on Microsoft Windows.
The most recent update for Chrome’s Cisco WebEx extension is 1.0.7, readily available on the company’s official website. Whereas a patch for Firefox or Internet Explorer is concerned, Cisco’s official Security Advisory page announced an update is on its way. What’s more, Cisco’s initial fix does not appear to be complete, which has led to Google and Mozilla temporarily removing the add-on from their stores.
Just another malicious URL self-inflicted cyber-incident
On a Windows operating system, the WebEx extension uses the NativeMessaging API in order to communicate with the native apps installed on the machine. But, before the plugin can be used via NativeMessaging, the native app must first declare a manifest file, containing all configuration details (see figure below).
While analyzing the WebEx extension for Chrome, Ormandy noticed that it works on any URL that contains a ‘magic pattern’:
The ‘magic string’ can be found in the file manifest mentioned before. An attacker that can trick an affected user into visiting such a booby trapped link, can then execute arbitrary code with user privileges on the infected machine. WebEx can then be instructed to run an arbitrary Windows program, without any sort of confirmation dialog. That’s what is known as Remote Code Execution (RCE) or a drive-by install, one of the most serious sorts of vulnerability (as we’ve seen in our previous article – Windows Vulnerability: Oh My Kernel!), most commonly known as a malware spreading vector.
Quick to react, Cisco attempted to patch the security hole by limiting the magic URL to https://*.webex.com and https://*.webex.com.cn domains. While this was deemed an acceptable fix, it was criticized as an impartial patch seeing how sneaky hackers could easily booby trap the WebEx URL by activating it silently it through an earlier discovered cross-site scripting (XSS) flaw on webex.com.
Note to the reader: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code (also commonly referred to as a malicious payload), generally in the form of a browser side script, to a different end user. The latter’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. Source: OWASP
What is more worrying though is that, even without the XSS, an attacker can and will execute arbitrary code as long as the victim clicks “OK” when they are prompted to allow a WebEx meeting to launch on the malicious website.
It doesn’t come as a surprise that Mozilla representatives were more than unhappy with Cisco’s fix and immediately pointed out that other flaws had been noticed on webex.com, such as the fact that the web service does not use HTTP Strict Transport Security (HSTS) or Content Security Policy (CSP). “If I’m an adversary and I can find a single XSS on that domain, all I need to do at any point in the future is intercept an outgoing HTTP request from Chrome, insert a 302 redirect, and I have an instant RCE on who knows how many machines”, stated April King, information security engineer at Mozilla. We can’t argue with him on this one.
Riding the hipster wave…
…might actually be the answer in this case.
When it comes to browsers, it’s perhaps a good idea to not go with the flow and just dare to stand out. Why is that, you may ask? The browser you choose to use can make all the difference where your online experience is concerned, but most people choose to look for ease of use, personalization, and flexibility in their web browser choices, often disregarding the data safety factor.
According to CVE Detail, while bearing the title of most popular browser, Google’s Chrome also showed the highest number of vulnerabilities in 2016, compared to all similar existing software. 2016 bore less work for Apple employees working on Safari which showed the least amount of discovered software vulnerabilities. This chart below illustrates the amount of vulnerabilities the most popular browsers were exposed to during 2016:
But if you don’t necessarily want to change your browser, what is left to be done?
There are a number of things you could opt for in this case. Let’s start with the simple, yet highly effective, ‘turn off WebEx support’. By disabling the add-on altogether in your browser (for the time being), you can prevent the Cisco extension from suddenly activating.
In Internet Explorer 11, click on the Tools cog in the top right corner and choose the Manage add-ons option:
Select the Cisco WebEx LLC add-on and choose Disable to turn it off:
In Chrome, click on the vertical three dots in the top right corner and choose the Settings option:
Go to the Extensions pane and untick the Enabled box to turn off the Cisco WebEx extension:
To be on the safe side, you might also want to look for one of the many existing web filtering products, capable of blocking access to any URL that includes the magic string that activates the WebEx extension:
While this will provide an additional layer of protection on top of disabling the buggy WebEx extension in your browser, do keep in mind that blocking the magic string in your web filter for all users will also stop Mac, Linux and Edge browsers from connecting to WebEx. If you rely on WebEx in your business, this may not be what you want.
UPDATE: You might want to visit Cisco’s cisco-sa-20170124-webex advisory page, where a full patch was just released on February 4.
 A magic pattern or string is an input that a programmer believes will never come externally and which activates otherwise hidden functionality. A user of this program would likely provide input that gives an expected response in most situations. However, if the user does in fact innocently provide the pre-defined input, invoking the internal functionality, the program response is often quite unexpected to the user (thus appearing « magical »). Source: Chris Falter (2008-03-06), A Good Solution for Magic String Data, « Egghead Cafe Tutorials »