security cameras and surveillance equipment using Nuuo software is thought to impactVulnerability-related.DiscoverVulnerabilityhundreds of thousands of devices worldwide . Researchers from cybersecurity firm Tenable disclosedVulnerability-related.DiscoverVulnerabilitythe bug , which has been assigned as CVE-2018-1149 . The vulnerability can not get much more serious , as it allows attackers to remotely execute code in the software , the researchers said in a security advisory on Monday . Nuuo , describing itself as a provider of `` trusted video management '' software , offers a range of video solutions for surveillance systems in industries including transport , banking , government , and residential areas . Dubbed `` Peekaboo , '' the zero-day stack buffer overflow vulnerability , when exploitedVulnerability-related.DiscoverVulnerability, allows threat actors to view and tamper with video surveillance recordings and feeds . It is also possible to use the bug to stealAttack.Databreachdata including credentials , IP addresses , port usage , and the make & models of connected surveillance devices . Such a security vulnerability has wide-reaching , real-world consequences -- as criminals could compromise a surveillance camera feed , replace the footage with a static image , and raid a premises , for example . In addition , the bug could be used to fully disable cameras and surveillance products . Peekaboo specifically impactsVulnerability-related.DiscoverVulnerabilitythe NVRMini 2 NAS and network video recorder , which acts as a hub for connected surveillance products . When exploited , the product permitted access to the control management system ( CMS ) interface , which further exposes credentials of all connected video surveillance cameras connected to the storage system . Speaking to ZDNet , Gavin Millard , VP of threat intelligence at Tenable , said that organizations all over the world use Nuuo software , including in shopping centers , hospitals , banks , and public areas . However , therein lies the problem -- as the software is also white labeled to over 100 brands and 2,500 camera product lines . Tenable disclosedVulnerability-related.DiscoverVulnerabilitythe zero-day vulnerability to Nuuo . A patch has not been releasedVulnerability-related.PatchVulnerability, but Nuuo is currently developingVulnerability-related.PatchVulnerabilitya fix for deployment . A plugin has also been releasedVulnerability-related.PatchVulnerabilityby Tenable for organizations to assess whether or not they are vulnerableVulnerability-related.DiscoverVulnerabilityto Peekaboo . ZDNet has reached out to Nuuo and will update if we hear back .
The big security issue of the week is a remote code execution hole related to the Cisco WebEx service . WebEx is a popular collaboration tool for online events such as meetings , webinars and videoconferences . Like many services of this sort , you access online events via your browser , augmented by a special-purpose browser extension . Browser extensions and plugins allow web developers to extend the software features inside your browser with a mixture of scripts and program code , for example to add configuration options or to support new audio and video formats . Of course , when you add another layer of programmatic complexity on top of an already-complex browser , it ’ s easy to add new security holes , too . Perhaps the best known example of a problematic plugin is Adobe Flash , which has provided cybercrooks with such a fruitful source of exploitable security holes over the years that we have long been urging you to try to live without Flash altogether . The latest security scareVulnerability-related.DiscoverVulnerabilityof this sort has been dubbed CVE-2017-3823 , and it applies to Cisco ’ s special-purpose WebEx browser extension . In oher words , if your organisation uses WebEx , you probably have the browser extension installed , and if you have it installed , you may be at risk . According to Tavis Ormandy at Google ’ s Project Zero , who discoveredVulnerability-related.DiscoverVulnerabilityand documentedVulnerability-related.DiscoverVulnerabilitythe bug , there are more than 20 million WebEx users worldwide . According to Cisco , Internet Explorer , Chrome and Firefox on Windows are affected . Microsoft Edge on Windows and all browsers on Mac and Linux are safe . The most recent update for Chrome is Cisco WebEx extension 1.0.7 . Cisco published a notification about this update at 2017-01-26T19:45Z , having issued and then withdrawn 1.0.3 and then 1.0.5 earlier this week after deeming them “ incomplete ” . However , at 2017-01-26T19:45Z , Cisco ’ s official Security Advisory page says : Cisco is currently developingVulnerability-related.PatchVulnerabilityupdates that addressVulnerability-related.PatchVulnerabilitythis vulnerability for Firefox and Internet Explorer . There are no workarounds that address this vulnerability . Using Microsoft Edge on Windows or any browser on Mac or Linux will shield you from this bug because it doesn ’ t apply on those platforms . You can also turn off WebEx support in your browser temporarily , thus preventing the Cisco extension or add-on from activating unexpectedly .