While vulnerabilities in ActiveX controls are not uncommon, the WebEx nicely exemplifies one of their unique quirks – many people simply won’t realize they are vulnerable.
The WebEx vulnerability lets attackers install malware on a target machine simply by persuading the user to view a certain specially constructed web page.
When people enter a WebEx conference for the first time, they are prompted to download and install an ActiveX control through the browser. Unbeknown to many users, that control stays installed on their machines after the meeting is over.
A lot of people are invited to use WebEx conferences, but it may be something they only use once a year or half-year, for analyst meetings for instance, said Gunter Ollman, director of ISS’s X-Force research team. Once they’ve finished the conference that object remains installed on their machine.
This is a common feature of ActiveX controls. Web pages that carry these controls can patch these installations automatically after vulnerabilities have been found and fixed, but only if the user visits those pages again. The controls therefore can leave larger exposure windows on machines that access the services only infrequently.
This particular vulnerability allows attackers to install software on machines that have the WebEx control installed. It appears to have come about because WebEx didn’t place restrictions on which site can run the controls update features.
The feature of the component allows WebEx to specify new files to install and where to install them, Ollman said. But anybody could call this feature of the ActiveX component, it didn’t have to be WebEx.
