Researchers at ISS have discovered several flaws in web conferencing products, including a critical bug in WebEx Communications' client software.
ISS researchers began studying web conferencing software at the beginning of the year and to date have discovered a handful of security problems, said Gunter Ollmann, director of the company's X-Force threat analysis service. Last year the Atlanta company launched a similar investigation into VoIP software, which also netted a number of bugs, he said.
The WebEx vulnerability is the first web conferencing flaw that the company has publicly disclosed, and it is working with vendors to patch and ultimately disclose the others, he said.
The WebEx flaw, which was patched Thursday, could be used by attackers to run unauthorised software on a PC, and WebEx encouraged users to make sure that their client software is updated as soon as possible.
The bug has to do with a flaw in an ActiveX control used to download WebEx components. "The vulnerability is that you can actually call the WebEx ActiveX agent and tell it to install other things," Ollmann said.
ISS has not heard of any attacks that take advantage of this vulnerability. If it were to be exploited, however, the attacker would first need to trick a victim into visiting a maliciously encoded website - the same technique that has been used in the past to take advantage of similar flaws in web browsers.
Automatic updates have pushed the patch to more than 95 percent of WebEx customers, WebEx said. The company's small-business products, including WebOffice, MeetMeNow and PCNow, do not use the buggy installer and are not affected by the vulnerability.