Researchers at Internet Security Systems Inc. on Thursday said they had discovered a serious flaw in the widely used WebEx Web conferencing software. But WebEx already has taken steps to prevent attacks.
According to the ISS X-Force, the vulnerability involves the way that the software downloads certain components when users install the WebEx package on their machines.
WebEx Communications Inc. is the Web conferencing market leader and the software is used in thousands of enterprises and organizations around the world.
When users participate in a Web-based meeting using the WebEx software, they must first download a small client. WebEx employs an ActiveX control to download the client onto users' PCs.
The specific problem occurs during the download process when the ActiveX control fails to verify the source or content of the components it installs. This could enable an attacker to create a malicious Web page and trick users into downloading malware instead of the WebEx software, ISS said in its advisory.
The results of a successful attack could vary, but an attacker who is able to implant software on a user's machine could easily gain access to sensitive data or use the PC to attack other assets on the same network.
ISS notified WebEx of the problem some time ago and the two companies developed a fix that WebEx already has implemented. The WebEx service will automatically update the ActiveX control on the machines of all users who access the service going forward.