back to article Cisco's WebEx Chrome plugin will execute evil code, install malware via secret 'magic URL'

Malicious websites can remotely execute commands on Windows systems that have Cisco WebEx's Chrome extension installed. About 20 million people actively use this broken software. All attackers need to know is a “magic URL” hidden within WebEx, Google Project Zero bug hunter Tavis Ormandy revealed on Monday. We think a secret " …

  1. a_yank_lurker Silver badge

    An Adobe Wannbe?

    Cisco seems to be trying to overtake Adobe and Slurp for the production of the most dangerous malware people are forced to use.

    1. bazza Silver badge

      Re: An Adobe Wannbe?

      They've made a good effort in doing just that with this little beauty.

      I honestly don't know how anyone could ever write the code for such a thing at any point in the past 20 years and not stop what they're doing. It must take a special kind of blindness (I'm being generous in not using words like lunatic, idiot, numpty, raving moron) to be able to do it. Presumably someone else somewhere in Cisco reviewed the code and also failed to spot it?

      If that's what they do with things like a browser plug in, what's their router source code like?!

      1. Anonymous Coward
        Anonymous Coward

        Re: An Adobe Wannbe?

        I honestly don't know how anyone could ever write the code for such a thing ...

        Because "Knowledge Work" is becoming a lot like the assembly lines of old. Programmers are just "hands", waiting in lines outside the virtual factory gates. Fungible resources traded on the global "Marketplace". That attitude is of course returned within the work that they do.

        The attitude is: ""I" don't know these people "I" am working for, the pay is shit and they don't care about me, so who cares what happens to them and their bullshit business!? I do *exactly* what they paid for, *nothing* else."

        I left IT to go back to Electrical Engineering, because, more and more "we" relied on "gig programmers", consultants and people in India or Ukraine (with the Indians one spent as much time arguing and fixing their crap as one would have done coding it) the Ukrainians were good, however, if "you" are not equally good - how does one know that they didn't slip something Extra in, for their other jobs, with Mob, NSA or FSB?

        The consultants cars got ever crappier, so, I figured it was time to leave before that person in the shoddy vehicle would be me.

      2. Keith Sware

        Re: An Adobe Wannbe?

        Cisco are now inadvertently promoting themselves as an attack vector; their clients who trust their brand, now have to rethink the trust that they have invested in Cisco network equipment. The culture within Cisco development and test teams needs to be addressed. The code base that created this plug in needs to be audited, the worry is, was this deliberate? Did Cisco hire a developer who had ulterior motives when he/she was writing the code?

        1. JLV Silver badge
          Black Helicopters

          Re: An Adobe Wannbe?

          >was this deliberate?

          Yeah, that's a good question. The assumption most of you have so far is that it was just a nitwit or dishonest dev. Just because this is a massive fail doesn't mean it didn't take time to set up and why would a dev do it on her/his own initiative? That stupid? And it never got caught by QA/reviews?

          On the other hand, could it be a magic, lazy, get-out-of-jail free feature? Just in case something goes really wrong and you want to figure out what's going on, customer-side. You have a backdoor and you use it.

          Not really different from a secret hardcoded, unchangeable, root password, is it? And we never see those either, of course. But, if that's the case, then don't call that a bug, please, because it would have been sanctioned at higher levels than individual incompetent devs.

          Of course, the fact that it nukes security is irrelevant. It's more important that it solves Cisco/insert-other-dodgy-vendors' support problems.

      3. charlie-charlie-tango-alpha

        Re: An Adobe Wannbe?

        "If that's what they do with things like a browser plug in, what's their router source code like?!"

        You don't want to know. You really don't want to know.

    2. tony2heads

      Re: An Adobe Wannbe?

      Crap movies have The Razzies

      Why not have an award for appealingly buggy software?

      I suggest that El Reg is the right place to host it; what do you think?

      Suggested topics could include:

      Most Insecure software

      Phone producers with the most bloatware

      Corporation with most leaks

      Corporation with most spyware

      Website with crappiest interface

      Website with most offensive/in-your-face adware

      1. Pascal Monett Silver badge

        It could be called the Flash Awards.

        1. Mark 65 Silver badge

          The "flashies" has a certain appropriateness, especially if the first one was a fucking disaster.

      2. Keith Sware

        Re: An Adobe Wannbe?

        This would be difficult to police and to manage. The idea of putting bad products / software / hardware onto some sort of naughty step, sounds good until you start to think through how it would work. If someone fixes their software bug, do they have a right to be removed from this red banner board, who is going to do that for them and which independent party is going to test their software to verify that the bug has disappeared. I think that some form of accreditation might be more workable, this would require a software house to pay for the testing to take place in order to get a Good/Healthy software kite mark. There are precedents for this such as fire safety regulations for electrical appliances when the law requires that manufactures who sell in the UK must comply with certain legal requirements.

    3. Crazy Operations Guy

      Re: An Adobe Wannbe?

      Probably the very same coders.

      The facts:

      Adobe's been laying off programmers, mostly the terrible ones.

      Cisco has been desperate to hire programmers with experience in coding multi-media applications.

      Cisco and Adobe's offices are within shouting distance.

      So, I would assume that the programmers that got laid off from Adobe would be going to Cisco. Fairly easy transition, what with staying in the same niche and the commute is not altered that much. So the same morons that botched Flash probably now have their greasy mitts all over Cisco's code.

  2. cbars
    Joke

    Chill

    "It's fine, we did that just to test some stuff!"

    "What stuff?"

    "....... We can neither confirm nor deny that we tested anything"

    1. Dan 55 Silver badge
      Coat

      Re: Chill

      But enough of Trident...

  3. Anonymous Coward
    Anonymous Coward

    Plug-ins in 2017? Why don't they just make it a website? WebEx is one of those enterprise apps that if you made it a consumer service and gave it away for free, no one would use it.

  4. disgustedoftunbridgewells Silver badge

    That's just bizarre. Why not just have a protocol handler: webex://12345678, then have the client get the data from Cisco using the ID. I can't believe somebody wrote this and didn't think it was a terrible idea.

  5. pyite

    WebEx needs to die already

    A few years ago, WebEx had the best compatibility whereas GotoMeeting was always the worst.

    Times have sure changed! Now, GotoMeeting works very well on Linux and WebEx fails completely.

    1. Anonymous Coward
      Anonymous Coward

      Re: WebEx needs to die already

      Two Words: Skype For Business!

      "It's Free!" Says your penny-pinching manager!

      We ditched something else (can barely remember what it was) for WebEx a couple years ago. Now we're ditching WebEx for Skype. I'm sure when that proves unusable we'll go either back to Option A or perhaps find Option D.

  6. Anonymous Coward
    Coat

    PDF?

    "And PRs wonder why we get uppity when we’re told to install weird extensions during press briefings - PDF + text is fine, thanks."

    Just text, thanks. PDF readers have a surprising amount of attack vectors... a postscript-based graphics language, javascript, tiff, jpeg, etc.

  7. Anonymous Coward
    Anonymous Coward

    Maybe it's intentional

    Given Cisco's large government accounts, maybe it's

    Just intentional. Anytime there's a universally deployed app, that would become a tasty target to enable government snooping and or cyber warfare...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019