A security team’s life would be so much easier if users would simply comply with common sense. Don’t click on that unknown executable. Ignore that missing Nigerian prince who’s now turning to you, and of course only you, for help for which he’ll reward you handsomely. Skip that website that you KNOW carries malware.
But alas, we know users are, well, users. Most can be relied on to never reboot their machine, never voluntarily change their browsing habits, and always click on every possible attachment. Which is why the vulnerability recently discovered in Cisco Systems’ WebEx extension for Chrome is so important. Besides its scope – the vulnerability impacts the some 20 million enterprise users running the WebEx extension — the vulnerability is also a case study in how security teams can protect the business despite user behavior.
Attack Description and Impact
The vulnerability left Chrome users with the WebEx extension susceptible to one of the worse kinds of attacks, remote code execution, through a drive-by attack. Users wouldn’t even have to take action when visiting an infected site. That’s the point of a drive-by attack: users visit the website and unintentionally download a virus or malware that exploits a vulnerability in a browser, app, operating system, or in this case, the Webex extension.
The website merely needed to host a file or resource containing the following:
This text string is normally used as the “magic pattern” to start a WebEx meeting with a remote computer. The extension could then send commands to the remote computer using Native Messaging, a Chrome messaging protocol for exchanging information with native applications. This “magic pattern” triggers the WebEx extension on the user’s machine and utilizes it as a bridge to send data in JSON to the native application.
Tavis Ormandy, a researcher with Google’s Project Zero team, discovered that that he could change the “message” event to execute any command not just the command needed to invoke a WebEx session. Apparently, the extension does not validate the source before passing command to the native code. Ormandy showed how the exploit could, for example, allow an attacker to execute a remote code and provided a proof of concept.
Your Exposure and What You Can Do
Although Cisco has since updated the WebEx extension, many Chrome users will remain exposed in the near term. Chrome only updates extensions upon restart while users often leave Chrome running for weeks without rebooting. Running the proof-of-concept released by Ormandy on one user’s machine yielded the following result:
Figure1 – An example of a remote code execution on a vulnerable employee’s PC. In this example, the employee runs the proof-of-concept released by Google, successfully executing ‘calc.exe,’ proving the exposure.
No doubt that security teams should encourage users to download and install the fixed extension. Unified Threat Management (UTM) customers or customers of cloud-based secure web gateway (SWG) services, should expect their providers to assess the risk to your organization. Cato Research Labs, for example, was able to verify that no employee or customer had been compromised by the vulnerability.
But users can still be vulnerable to the attack vector if they do not upgrade the Chrome Webex extension. As previously mentioned, the attack only works using a “magic” pattern: cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b. By updating your URL Filter or IPS to block traffic containing the “magic” pattern, you can ensure network users are protected (while on the corporate network) until they upgrade their WebEx extension. This tactic, known as “virtual patching,” protects users while connected to the corporate network even when using compromised applications. Note that you’ll still need to protect users disconnected from the corporate network, such as mobile users, against the threat..
Subscribers to an SWG service should check their provider’s response to WebEx vulnerability. By applying a virtual patch to their services, SWG service providers can block visits to sites with the “magic” URL, protecting users of every one of their customers.
Saving users from themselves is a large part of our jobs. Even when vendors patch new vulnerabilities, users can still harm themselves. But with virtual patching and the adaptability of the cloud, we can go a long way towards mitigating many of those threats — even if our users are slow to take action.