Skip to main content
Tag

Cisco

||

Patch Now: Cisco Webex Meetings Vulnerability

By NewsNo Comments

Patch Now: Cisco Webex Meetings Vulnerability

Cisco has found a flaw which allows attackers to execute arbitrary code with the user's privileges when running Cisco Webex Meetings Virtual Desktop App for Windows.

Cisco Urges Users to Patch for Webex Vulnerability

Cisco has found a flaw which allows attackers to execute arbitrary code with the user’s privileges when running Cisco Webex Meetings Virtual Desktop App for Windows.

Cisco explains, “A successful exploit could allow the attacker to modify the underlying operating system configuration, which could allow the attacker to execute arbitrary code with the privileges of a targeted user.”

Cisco’s Product Security Incident Response Team has not yet seen any attacks in the wild, but with so many remote workers due to COVID, organizations could be exposed.

Cisco has given the bug a severity rating of 7.3 out of a possible 10 and tracked as CVE-2020-3588.

Cisco is also urging customers to update Webex Meetings sites and Webex Meetings Server due to vulnerabilities affecting the Webex Network Recording Player for Windows and Webex Player for Windows.

“Understanding your environment’s exposure, not only to operating system vulnerabilities, but also critical third-party applications like Cisco Webex, is vital to ensure IT compliance and security. Advanced patch and vulnerability management technology like Syxsense closes potential routes of exposure even in remote worker environments we see today with COVID,” commented Ashley Leonard, CEO of Syxsense Inc.

Experience the Power of Syxsense

Start a trial of Syxsense, which helps organizations from 100 to 100,000 endpoints secure and manage their environment, all from just a web browser.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
|||||

Who Are the Worst Vendors of 2019?

By News, Patch ManagementNo Comments

Who Are the Worst Vendors of 2019?

From the highest number of software updates to highest number of critical vulnerabilities, find out which vendors are the worst offenders.

2019 has brought serious threats causing massive disruption and data theft. Which vendor has released the most software updates and fixes in 2019, and of these, which updates are the most critical? Let’s find out!

The top 20 vendors look like this for 2019—this means Microsoft has released the most patches to fix a vulnerability of any severity out of the most popular software vendors.

Let’s see how the top 10 from this list compare when we deep dive into the severity of the vulnerabilities fixed. For simplicity, we will base our statistics on the CVSS Score.

What is a CVSS Score?

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help properly assess and prioritize their vulnerability management processes.

We can see that Microsoft have released a total of 6330 patches so far this year, with 2143 of these patches resolving a vulnerability with a CVSS score of 9 or higher. Just behind Microsoft in second place is Adobe – which has released 2052 updates.

Let’s take a look at how the most serious vulnerabilities impact the original ranking. We can see from the table below that the top 5 vendors have made significant movements and some are unexpected, e.g. IBM has moved out of the top 5 and Adobe has moved into the top 5.

Who’s the worst?

To continue this trend analysis review and to find out who has fixed the highest number of critical vulnerabilities, let’s compare the percentage of those threats against the total number of patches they have released this year.

We can do this by dividing all vulnerabilities with CVSS score more than 9 and dividing by the total number released by 100. The following table shows the new ranking of the vendors against the original ranking.

Robert Brown, Director of Services said, “What is really surprising is that a third party vendor to Microsoft has fixed more high priority vulnerabilities than them. If you do not have a strategy to include third party updates believing that only Microsoft needs to be patched, I hope this table convinces you to implement a different, more inclusive process. Not only that, some of these third party vendors like Oracle and Cisco are less likely to appear in a patching strategy which would expose a lot of your estate. Lastly, the toolset you use to patch your environment should be flexible to include other non-Windows operating systems like RedHat and Suse.”

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.
Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
||

Cisco Fixes Critical WebEx Bug

By News, Patch ManagementNo Comments

Cisco Fixes Critical WebEx Bug

A critical vulnerability in Cisco WebEx browser extensions that could allow unauthenticated remote code-execution on targeted machines is being actively exploited in the wild.

Cisco have re-released a patch to resolve a Critical vulnerability in its highly popular conferencing solution.  The following versions of the Cisco WebEx browser extensions are affected:

  • Versions prior to 1.0.7 of the Cisco WebEx Extension on Google Chrome
  • Versions prior to 106 of the ActiveTouch General Plugin Container on Mozilla Firefox
  • Versions prior to 2.1.0.10 of the Download Manager ActiveX control plugin on Internet Explorer

By exploiting this latest issue, attackers could execute arbitrary code with the privileges of the affected browser on Windows PCs that have specific browser extensions installed. The vulnerable extensions are for Cisco WebEx Meetings Server and Cisco WebEx Centers (Meeting Center, Event Center, Training Center and Support Center), according to an advisory.

Robert Brown, Director of Services for Verismic said, “The bug effects almost all well-known browsers including Google Chrome, Mozilla Firefox and Internet Explorer and with a CVSS score of 8.8 (High Severity) we are recommending our clients perform the deployment urgently.  This vulnerability is known to be actively targeted for exploitation.”

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.
Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo