Cisco WebEx Meeting Manager Drive-By Exploit
On August 20, our honeypots began to receive attacks against the Cisco WebEx Meeting Manager vulnerability. This August 6 vulnerability exists in the ActiveX control used by WebEx to permit users to participate in meetings via Internet Explorer. Users running the vulnerable version of the Webex control who happened upon a Web site distributing the exploit would become infected. The first exploits that we have seen so far have been served via gaming sites that have had the exploit package injected on to them.
While WebEx will automatically patch each user when they join a meeting hosted on a patched server, this vulnerability is only two weeks old. Many vulnerable users may have been on holidays, making it reasonably likely that some users will become infected by visiting day-to-day Web sites before their next WebEx meeting.
This particular attack is detected by Symantec IPS-enabled products (NIS/NAV/N360, SEP/SCS) as MSIE WebEx Meeting Manager ActiveX BO. Shipping along with this exploit are a series of other exploits detected as follows: ADODB, Microsoft Snapshot, Microsoft Works ActiveX, RealPlayer IERPCtl, RealPlayer console, Yahoo! GetFile, Kodak malformed TIFF, and Microsoft Windows VML.