WebEx Security Advisory


WebEx Security Advisory
Date: May 23rd 2006
Control #WEBX-06-1-1
Status: Update Available
Published : July 6, 2006

Vulnerability Summary
A vulnerability within the WebEx Downloader plug-in can result in arbitrary components being delivered from unauthorized sources.

Impact
Execution of unauthorized code on workstations having an outdated version of the WebEx downloader.

Risk : Recommended
This guideline is intended to help customers assess the general impact of security vulnerabilities posted by WebEx Communications. Detailed security advisories will be posted for specific vulnerabilities. This guideline is designed to help users quickly assess their risk at a high level. Because a specific issue will not always have an identical risk profile to all users, the final determination of your risk should always be done using all relevant internal information that places the vulnerability in the context of you or your organization.


Rating Definition
Recommended Potential for malicious code execution or propagation without user awareness. Data security or system resource compromise with low or medium difficulty to exploit.
Optional Minimum to moderate impact, or mitigated to a large degree by configuration settings, logging and alerting, or complexity to exploit.


Resolution
Download Update at http://www.webex.com/go/downloadSP30

Affected Software
Active-X and Java versions of the WebEx Downloader.

Description
WebEx delivers its application to the desktop via WebEx ActiveX and Java Downloader plug-ins. Previous versions do not validate the source of downloaded components exposing a security vulnerability. The plug-in’s may be updated with properly performing versions.

Answers to Frequently-Asked Questions
Read the FAQ here

Acknowledgements
WebEx thanks David Dewey and Mark Dowd of Internet Security Systems’ X-Force, and Zero Day Initiative for reporting this vulnerability.

Revision History
July 6, 2006 – Initial Publication of Update

Disclaimer
©2006 WebEx Communications, Inc. WebEx, WebEx MediaTone, and the WebEx logo are registered trademarks of WebEx Communications, Inc. All rights reserved. All other trademarks are the property of their respective owners.

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.