Code execution hole in Webex meeting manager

Webex meeting manager code execution holeThe U.S. Computer Emergency Response Team (CERT) has raised an alert for a critical ActiveX control vulnerability affecting the Webex Meeting Manager software.

The flaw, discovered by researcher Elazar Broad and rated “highly critical” by Secunia, is confirmed in version 20.2008.2601.4928. Other versions may also be affected.

This vulnerability is due to improper handling of arguments passed to the “NewObject()” method within the WebexUCFObject ActiveX control (atucfobj.dll). By convincing a user to visit a specially crafted web page, a remote attacker may be able to execute arbitrary code.

Broad said Webex has released version 20.2008.2606.4919 of the ActiveX control with a fix for the vulnerability. The control should be updated when the user joins a meeting,” he said.

US-CERT is strongly encouraging Webex Meeting Manager users to upgrade to this version or set the kill bit for the following CLSID:

  • 32E26FD9-F435-4A20-A561-35D4B987CFDC

Instructions for setting kill bits in Internet Explorer can be found in this Microsoft KB article.

[Source: zdnet]