Researchers at Internet Security Systems (ISS) have discovered a number of flaws in Web conferencing products, including a critical bug in WebEx Communications's client software.
ISS researchers began studying Web conferencing software at the beginning of the year and to date have discovered a handful of security problems in the products, said Gunter Ollmann, director of Internet Security Systems's X-Force threat analysis service. Last year the company launched a similar investigation into VOIP (voice over Internet Protocol) software, which also netted a number of bugs, he said.
The WebEx vulnerability is the first Web conferencing flaw that the company has publicly disclosed, and it is working with vendors to patch and ultimately disclose the others, he said.
The WebEx flaw, which was patched Thursday, could be used by attackers to run unauthorized software on a PC, and WebEx encouraged users to make sure that their client software is updated as soon as possible. Customers who do not have automatic updates can manually download the patch here.
The bug has to do with a flaw in an ActiveX control used to download WebEx components. "The vulnerability is that you can actually call the WebEx ActiveX agent and tell it to install other things," Ollmann said.
ISS has not heard of any attacks that take advantage of this vulnerability. If it were to be exploited, however, the attacker would first need to trick a victim into visiting a maliciously encoded Web site -- the same technique that has been used in the past to take advantage of similar flaws in Web browsers.
Automatic updates have pushed the patch to more than 95 percent of WebEx customers, WebEx said. The company's small-business products, including WebOffice, MeetMeNow and PCNow, do not use the buggy installer and are not affected by the vulnerability.