Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0979
Multiple Vulnerabilities in the Cisco WebEx Recording Format Player
11 October 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco WebEx Recording Format Player
Publisher: Cisco Systems
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3941 CVE-2012-3940 CVE-2012-3939
CVE-2012-3938 CVE-2012-3937 CVE-2012-3936
Original Bulletin:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-webex
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Multiple Vulnerabilities in the Cisco WebEx Recording Format Player
Advisory ID: cisco-sa-20121010-webex
Revision 1.0
For Public Release 2012 October 10 16:00 UTC (GMT)
- - ----------------------------------------------------------------------
Summary
=======
The Cisco WebEx Recording Format (WRF) player contains six buffer
overflow vulnerabilities. In some cases, exploitation of the
vulnerabilities could allow a remote attacker to execute arbitrary
code on the system with the privileges of a targeted user.
The Cisco WebEx WRF Player is an application used to play back WRF
WebEx meeting recordings that have been recorded on a WebEx meeting
site or on the computer of an online meeting attendee. The Cisco WebEx
WRF Player can be automatically installed when the user accesses a
recording file that is hosted on a WebEx meeting site. The Cisco WebEx
WRF Player can also be manually installed for offline playback after
downloading the application from:
http://www.webex.com/play-webex-recording.html.
If the Cisco WebEx WRF Player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when users
access a recording file that is hosted on a WebEx meeting site. If the
Cisco WebEx WRF Player was manually installed, users will need to
manually install a new version of the Cisco WebEx WRF Player after
downloading the latest version from:
http://www.webex.com/play-webex-recording.html.
Cisco has updated affected versions of the WebEx meeting sites and
Cisco WebEx WRF Player to address these vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-webex
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAlB1h6AACgkQUddfH3/BbTrjWAD/Xo3bSaXFymHXWKgoGNJQTRcp
MFilgSgS+0Hp09ncDC0A/R+0E3BmJFwMukJw6IPAQkp+AjYus1naLVDcQMjh7svJ
=tuKg
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUHZnGO4yVqjM2NGpAQLkTw//YlmBfOQ5u3JCnNfOmbVYzNxGroMtqNaY
NZOrHgTK3MB8UPxzCD+sWI/up1f1AAHH4JTFAbjtfsY0QmiBFK0m1eqLd7UYS6X4
7c1YQtNkcpPunEEsMvzHrUXKM0yLzGzNJ9MB+SZ72sDhIx5kN8zt5bqhAZTc+EHP
agVUOshMS/s3zrjNbx1HgdQ1MfA3eZ8T25Tb5LuPcPcuv37WrGeDJ6JPPBy1zHK4
S+DgqcrvQcxmxH99cuYjtFpeksFPl7tg8L8cCLV8Nc/oGZ7w6WLP/hnA8qfUtOB1
gkg9n5h5Pw45o/Aovez8SWf4No4xO2JNe3jq5Iq5FOVWTligFzbLrp798CPJRwrU
5Y2v/2i0PEn+42ve/hV7W7keMPD5hZVfhbAky5KyVQv1CjHprol6KB3wS1U7/0fj
QSkJ7bvCQxZ8rSVE9dIaN3cdbwSIfu6NT8YV1nqepnM1BRPpNhH9j9EZZCRwxHku
QJ5pFEodrplndM8GQ3wP6JR0Vq8u9d06KTTd26DYN96iZDQTEB7LU2lZi0urFHd+
OEENkuktNKvVJv957gM1TUx1gA1dTUPsfDBXdfNbL+acSxuWDUlUgFy/LrQp9gJI
r1pLmjYlXSA+URxqcO19PSyvUwOADJWKmEX1/aynIt8Y4FQfRk5AsKSWsV9o8dxy
WiJEc4dw1xw=
=oOyY
-----END PGP SIGNATURE-----