Cisco Releases Security Advisory for WebEx Player

Cisco has released a security advisory to address multiple vulnerabilities in the Cisco WebEx Player. The vulnerabilities disclosed in this advisory affect the Cisco WebEx Recording Format (WRF) player.

The following client builds of Cisco WebEx Business Suite (WBS 27) are affected by at least one of the vulnerabilities that are described in this advisory:
  • Client builds 27.32.0 (T27 LD SP32) and prior
  • Client builds 27.25.9 (T27 LC SP25 EP9) and prior
  • Client builds 27.21.10 (T27 LB SP21 EP10) and prior
  • Client builds 27.11.26 (T27 L SP11 EP26) and prior

These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

Cisco recommends users and administrators to review the following security advisories and apply any necessary updates to help mitigate the risks.

Buffer Overflow Vulnerabilities in the Cisco WebEx Player
Advisory ID: cisco-sa-20120404-webex
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120404-webex

Summary
The Cisco WebEx Recording Format (WRF) player contains three buffer overflow vulnerabilities. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user.

The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site. The players can also be manually installed for offline playback after downloading the application from www.webex.com.

If the WRF player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If the WRF player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com.

Source: US-CERT

No comments: