Internet Security Systems Discovers and Provides Pre-emptive Protection for WebEx Use of ActiveX Control

By | December 7, 2006

Internet Security Systems, Inc. (ISS) (NASDAQ: ISSX), the worldwide leader in pre-emptive, enterprise security, today announced that its X-Force® research and development team discovered a serious vulnerability in the ActiveX control used by the popular Web conferencing software, WebEx. ISS has worked closely with the company to resolve the vulnerability and according to WebEx, there have been no reported cases of users adversely affected by the now resolved vulnerability.

ISS X-Force has discovered a remotely exploitable vulnerability in the WebEx ActiveX control used to install the WebEx client on a user’s machine when attending or hosting a meeting. WebEx uses ActiveX to download the software components needed for a meeting. With this vulnerability, the ActiveX control did not check the validity of the content or source of these additional components, which made it susceptible to attackers who have crafted a custom Web page to cause the WebEx ActiveX control to download and place malicious code on a user’s machine.

WebEx has already updated customer sites and users’ ActiveX controls are automatically upgraded when they access the service. WebEx has also made a website available for individuals interested in manually updating their installer, http://www.webex.com/go/advisory.

“WebEx is widely used and trusted by organisations of all types and sizes,” said Gunter Ollmann, director of ISS X-Force. “This widespread distribution of the vulnerable client ActiveX agent means that many workstation hosts within an organisation may be the focus of an attack by merely browsing a malicious website.”

If machines are exploited by this vulnerability, WebEx users could unknowingly expose confidential information to attackers or allow them to obtain access to and control over additional assets on a corporate network. Compromise of corporate IT assets and classified information can lead to severe losses in productivity, finances and business reputation.

ISS has provided customers with pre-emptive protection for this flaw through its Proventia® security platform. ISS’ pre-emptive technology is based on the research and discoveries of its X-Force research and development team. By protecting against vulnerabilities rather than known exploits, ISS’ Virtual Patch™ technology keeps organisations ahead of Internet threats until they are able to obtain, test and apply patches from affected vendors.

Leave a Reply