A Single Text is All it Took to Unleash Code-Execution Worm in Cisco Jabber
upstart writes in with an IRC submission:
A single text is all it took to unleash code-execution worm in Cisco Jabber:
Until Wednesday, a single text message sent through Cisco's Jabber collaboration application was all it took to touch off a self-replicating attack that would spread malware from one Windows user to another, researchers who developed the exploit said.
The wormable attack was the result of several flaws, which Cisco patched on Wednesday, in the Chromium Embedded Framework that forms the foundation of the Jabber client. A filter that's designed to block potentially malicious content in incoming messages failed to scrutinize code that invoked a programming interface known as "onanimationstart."
[...] CVE-2020-3430 carries a severity score of 8.8.
Two other vulnerabilities-CVE-2020-3537 and CVE-2020-3498-have severity ratings of 5.7 and 6.5, respectively.
The vulnerabilities affect Cisco Jabber for Windows versions 12.1 through 12.9.1[*]. People using vulnerable versions should update as soon as possible.
[20200907_115013 UTC: Added (martyb)]
Link to download Cisco Jabber... BUT, I just downloaded a copy of the MSI using that link and found I had "Version: 12.9.0.53429, Build: 303429". Further, the Cisco advisory states that version 12.9.1 is the First Fixed Release. Something does not look right here.
Here are links to advisory entries on: (1) MITRE's Common Vulnerabilities and Exposures (CVE(R)) List (2) NIST (National Institute of Standards and Technology), and (3) Cisco:
| CVE-2020-3430: | MITRE | NIST | Cisco |
| CVE-2020-3537: | MITRE | NIST | Cisco |
| CVE-2020-3498: | MITRE | NIST | Cisco |
Read more of this story at SoylentNews.