WebEx addresses ActiveX flaw


WebEx addresses ActiveX flaw

Dennis Fisher, News Director

Researchers at Internet Security Systems Inc. on Thursday said they had discovered a serious flaw in the widely used WebEx Web conferencing software. But WebEx already has taken steps to prevent attacks.

According to the ISS X-Force, the vulnerability involves the way that the software downloads certain components when users install the WebEx package on their machines.

WebEx Communications Inc. is the Web conferencing market leader and the software is used in thousands of enterprises and organizations around the world.

When users participate in a Web-based meeting using the WebEx software, they must first download a small client. WebEx employs an ActiveX control to download the client onto users' PCs.

The specific problem occurs during the download process when the ActiveX control fails to verify the source or content of the components it installs. This could enable an attacker to create a malicious Web page and trick users into downloading malware instead of the WebEx software,

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

ISS said in its advisory.

The results of a successful attack could vary, but an attacker who is able to implant software on a user's machine could easily gain access to sensitive data or use the PC to attack other assets on the same network.

ISS notified WebEx of the problem some time ago and the two companies developed a fix that WebEx already has implemented. The WebEx service will automatically update the ActiveX control on the machines of all users who access the service going forward.