Cisco WebEx Meetings Player Code Execution Vulnerability (CVE-2016-1464)

The vulnerability is due to improper handling of user-supplied files. An attacker could exploit this vulnerability by persuading a user to open a malicious file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the system with the privileges of the user. Cisco informed customers has released software and firmware updates for some of its products in an effort to address several vulnerabilities rated as having critical, high and medium severity. Francis Provencher, security researcher and founder of the Canadian government agency COSIG, has been credited by Cisco for identifying two vulnerabilities in WebEx Meetings Player. The more serious of the flaws, rated critical, is CVE-2016-1464, which allows an unauthenticated attacker to remotely execute arbitrary code by convincing a user to open a specially crafted file with the vulnerable software. Another vulnerability found by the researcher, classified as having medium severity, allows an unauthenticated attacker to hack WebEx Meetings Player. by getting the victim to open a malicious file. Both vulnerabilities found by Provencher affect Cisco WebEx Meetings Player version T29.10 for WRF files. Cisco has released updates to address the bugs, but no workarounds are available. Cisco has also published advisories describing five different vulnerabilities affecting Small Business series switches and IP phones. Four of the issues were reported to the vendor by Nicolas Collignon and Renaud Dubourguais of Synacktiv, and one by security researcher Chris Watts. Will this bug fix by Cisco fully resolve the WebEx Media Player vulnerability? Send your assessment to the Cloud and Cyber Security Center.