Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > July 2006 > WebEx Security Advisory - Vulnerability within the WebEx Downloader plug-in

July 2006

WebEx Security Advisory - Vulnerability within the WebEx Downloader plug-in

ID: 00468
Ref: 455/06
Date: 11 July 2006:13:08:44
Version: 1
Title: WebEx Security Advisory - Vulnerability within the WebEx Downloader plug-in
Abstract: A vulnerability within the WebEx Downloader plug-in can result in arbitrary components being delivered from unauthorized sources.
Vendors affected: WebEx
Operating systems affected: WebEx
Applications affected: WebEx

Vulnerability Summary
A vulnerability within the WebEx Downloader plug-in can result in arbitrary components being delivered from unauthorized sources.

Impact
Execution of unauthorized code on workstations having an outdated version of the WebEx downloader.

Risk : Recommended
This guideline is intended to help customers assess the general impact of security vulnerabilities posted by WebEx Communications. Detailed security advisories will be posted for specific vulnerabilities. This guideline is designed to help users quickly assess their risk at a high level. Because a specific issue will not always have an identical risk profile to all users, the final determination of your risk should always be done using all relevant internal information that places the vulnerability in the context of you or your organization.


Rating
Recommended: Potential for malicious code execution or propagation without user awareness. Data security or system resource compromise with low or medium difficulty to exploit.
Optional: Minimum to moderate impact, or mitigated to a large degree by configuration settings, logging and alerting, or complexity to exploit.


Resolution
Download Update at http://www.webex.com/go/downloadSP30

Affected Software
Active-X and Java versions of the WebEx Downloader.

Description
WebEx delivers its application to the desktop via WebEx ActiveX and Java Downloader plug-ins. Previous versions do not validate the source of downloaded components exposing a security vulnerability. The plug-in#s may be updated with properly performing versions.

Answers to Frequently-Asked Questions
Read the FAQ here

Acknowledgements
WebEx thanks David Dewey and Mark Dowd of Internet Security Systems# X-Force, and Zero Day Initiative for reporting this vulnerability.

Revision History
July 6, 2006 # Initial Publication of Update

Disclaimer
©2006 WebEx Communications, Inc. WebEx, WebEx MediaTone, and the WebEx logo are registered trademarks of WebEx Communications, Inc. All rights reserved. All other trademarks are the property of their respective owners.

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |