Wormable code-execution flaw in Cisco Jabber has a severity rating of 9.9 out of 10

by
Dan Goodin
from Ars Technica - All content on (#5BH9M)
wireless-security-800x534.jpg

Enlarge (credit: Getty Images)

Cisco has patched its Jabber conferencing and messaging application against a critical vulnerability that made it possible for attackers to execute malicious code that would spread from computer to computer with no user interaction required. Again.

The vulnerability, which was first disclosed in September, was the result of several flaws discovered by researchers at security firm Watchcom Security. First, the app failed to properly filter potentially malicious elements contained in user-sent messages. The filter was based on an incomplete blocklist that could be bypassed using a programming attribute known as onanimationstart.

Messages that contained the attribute passed directly to DOM of an embedded browser. Because the browser was based on the Chromium Embedded Framework, it would execute any scripts that made it through the filter.

Read 5 remaining paragraphs | Comments

index?i=y71rUZYs6Uk:pzpc1Qm4qVA:V_sGLiPB index?i=y71rUZYs6Uk:pzpc1Qm4qVA:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments