Categories SecurityTech News

Cisco Webex macOS critical vulnerability discovered and patched

Cisco has uncovered and patched a critical vulnerability in its popular Webex platform. The vulnerability specifically affects the macOS version of the application used by many large organizations in both the public and private sector for remote conferencing and meetings.
According to Cisco’s security alert, the Mac desktop version of Webex is open to a remote injection attack from an unauthenticated, remote attacker due to a bug classified as CVE-2020-3342. CVE-2020-3342 is rated as an 8.8 on the Common Vulnerability Scoring System, which gives it a “high” threat distinction.

The advisory, quoted in an excerpt below, speaks in more detail about the exact nature of CVE-2020-3342:

The vulnerability is due to improper validation of cryptographic protections on files that are downloaded by the application as part of a software update. An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user.

There are no workarounds for this Webex vulnerability, and as such, Cisco recommends implementing their released patch as soon as possible. The vulnerability affects Cisco Webex Meetings Desktop App for Mac in every version predating Release 39.5.11.

As of this time, no known attacks have occurred as a result of CVE-2020-3342. This is liable to change, especially in light of the security advisory released by Cisco, which gives hackers full knowledge regarding the exploit. With so many people working from home, video conferencing software has become hot, making it an attractive target for cybercriminals. Security advisories are always a double-edged sword in this regard, but companies have a responsibility to inform their consumers of such threats.

Featured image: Cisco

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Microsoft Teams guest access: How to enable and manage it

Two of the main factors that affect the total cost of an organization’s Microsoft 365…

15 hours ago

Samsung Galaxy Unpacked 2020: Everything you need to know

Samsung rolled out the all-new Galaxy Z Fold 2, Note 20, Note 20 Ultra handsets…

19 hours ago

SAN vs. NAS: Detailed comparison of these two storage technologies

SAN and NAS provide dedicated storage for a group of users using completely different approaches…

22 hours ago

Generation 1 virtual machines: Modernize them and bring them up to date

In many companies, Generation 1 virtual machines have been superseded by Gen 2 VMs. But…

2 days ago

Free VPNs from Hong Kong with ‘no-log policy’ experience data leak

With these free VPNs based in Hong Kong, you may not be paying any money…

2 days ago

Azure DevOps tips and tricks: Using built-in features

These Azure DevOps tips and tricks come fresh from the field where they have been…

2 days ago