Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13452
HistoryJul 08, 2006 - 12:00 a.m.

[SA20956] WebEx Downloader Plug-in Multiple Vulnerabilities

2006-07-0800:00:00
vulners.com
12
JSON

Reverse Engineer Wanted

Secunia offers a Security Specialist position with emphasis on
reverse engineering of software and exploit code, auditing of
source code, and analysis of vulnerability reports.

http://secunia.com/secunia_security_specialist/

TITLE:
WebEx Downloader Plug-in Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA20956

VERIFY ADVISORY:
http://secunia.com/advisories/20956/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
>From remote

SOFTWARE:
WebEx Downloader plug-in 2.x
http://secunia.com/product/10916/

DESCRIPTION:
Some vulnerabilities have been reported in WebEx Downloader plug-in,
which can be exploited by malicious people to compromise a user's
system.

1) An error exists in the ActiveX and Java versions of the WebEx
Downloader plug-in where the source of downloaded components is not
properly verified. This can be exploited to install malicious
components on a user's system.

Successful exploitation allows execution of arbitrary code, but
requires that the user e.g. is tricked into visiting a malicious web
site.

The vulnerability has been reported in version 2.0.0.7. Other
versions may also be affected.

2) Some unspecified boundary errors in an included ActiveX control
can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

SOLUTION:
Apply update.
http://www.webex.com/go/downloadSP30

PROVIDED AND/OR DISCOVERED BY:
1) Discovered by an anonymous person and reported via ZDI.
1-2) David Dewey and Mark Dowd, ISS X-Force.

ORIGINAL ADVISORY:
WebEx Communications:
http://www.webex.com/lp/security/ActiveAdv.html?TrackID=123456

Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-06-021.html

ISS X-Force:
http://xforce.iss.net/xforce/alerts/id/226

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

JSON