Update , Cisco will take a second crack at addressing Vulnerability-related.PatchVulnerability a vulnerability in WebEx that can be exploited Vulnerability-related.DiscoverVulnerability to execute malicious code on a vulnerable installation . Switchzilla has issued Vulnerability-related.PatchVulnerability a new fix to address Vulnerability-related.PatchVulnerability CVE-2018-15442 , a command injection bug in its video conference software that allows a local attacker to their elevate privileges , and then execute code by injecting commands through the software update component of the WebEx Meetings Client . The bug was traced back to the failure by Webex Meetings to properly check arguments passed via its update service commands . Thus a miscreant could run an update command with specially crafted arguments to ultimately execute code with system privileges . This means rogue logged-in users or malware on a Windows system could leverage WebEx to completely hijack the machine . Cisco had hoped to plug Vulnerability-related.PatchVulnerability the vulnerability in October with a patch that was thought to have resolved Vulnerability-related.PatchVulnerability the flaw . However , software-breakers at SecureAuth found that Switchzilla failed to account for DLL preloading . By sticking the malicious commands inside a DLL file and then executing the update program with that library loaded , an attacker would be able to circumvent the patch and then exploit Vulnerability-related.DiscoverVulnerability the flaw as before to execute commands with system-level clearance . `` The vulnerability can be exploited Vulnerability-related.DiscoverVulnerability by copying to an a local attacker controller folder , the ptUpdate.exe binary . Also , a malicious dll must be placed in the same folder , named wbxtrace.dll , '' SecureAuth explained in its disclosure today . `` To gain privileges , the attacker must start the service with the command line : '' Fortunately , the flaw was privately disclosed Vulnerability-related.DiscoverVulnerability to Cisco , giving the teleconferencing vendor time to get out Vulnerability-related.PatchVulnerability a fix prior to this bug going public . Those running Webex Meetings on their Windows machines should update as soon as possible . While the flaw is n't as severe as a remote code bug that could be exploited Vulnerability-related.DiscoverVulnerability without any user interaction , the fact it has now been patched Vulnerability-related.PatchVulnerability twice and has working proof-of-concept code public should make patching Vulnerability-related.PatchVulnerability a priority .

ENTERPRISE-FOCUSED communication platform Fuze has fixed Vulnerability-related.PatchVulnerability a security vulnerability that allowed anyone to access and download recorded meetings on the platform without password authentication . The flaw was discovered Vulnerability-related.DiscoverVulnerability towards the end of February by Samuel Huckins of security company Rapid7 , and Fuze had disabled Vulnerability-related.DiscoverVulnerability access to recorded meetings by the beginning of March . An update to version 4.3.1 of the Fuze platform on March 10 rectified Vulnerability-related.PatchVulnerability the issue . `` Security is a top priority for Fuze and we appreciate Rapid7 identifying Vulnerability-related.DiscoverVulnerability this issue and bringing it to our attention . When we were informed Vulnerability-related.DiscoverVulnerability by the Rapid7 team of the issue , we took immediate action and have resolved Vulnerability-related.PatchVulnerability the problem , '' Fuze said in a statement . The vulnerability was caused by the way in which the platform incrementally added digits to the URL of recorded meetings , which resulted in relatively easy brute-force attacks proving successful . Combining the simple ability to guess URLs by inputting seven digit numbers with no requirement for authentication was always going to bring the potential for disaster , though there 's no suggestion that anyone with nefarious intent accessed any of the meetings . `` Recorded Fuze meetings are saved to Fuze 's cloud hosting service . They could be accessed by URLs such as 'https : //browser.fuzemeeting.com/ ? replayId=7DIGITNUM ' , where '7DIGITNUM ' is a seven digit number that increments over time , '' Rapid7 explains . `` Since this identifier did not provide sufficient keyspace to resist bruteforcing , specific meetings could be accessed and downloaded by simply guessing a replay ID reasonably close to the target , and iterating through all likely seven digit numbers . This format and lack of authentication also allowed one to find recordings via search engines such as Google . ''